A critical vulnerability CVE-2021-44228 in the Apache Log4j logging library was disclosed on Dec 9. The project provided release 2.15.0 with a patch that mitigates the impact of this CVE. It was quickly found that the initial patch was insufficient, and an additional CVE CVE-2021-45046 followed. This has been fixed in release 2.16.0.
Who is affected? #
The bulk of vitess code is in golang, and is unaffected by these vulnerabilities. The only component that is affected is the vitess-jdbc driver. The java client does not depend on the logging library and is unaffected. If you are a vitess user running the vitess-jdbc driver, you may be vulnerable to attacks that exploit these CVEs.
Affected Releases #
v10.0.0, v10.0.1, v10.0.2, v11.0.0, v11.0.1, v12.0.0
Older releases that are no longer supported by the community have not been analyzed.
Note: v10.0.3, v11.0.2 and v12.0.1 were released on Dec 14 upgrading log4j to 2.15.0, but we have had to follow with another set of releases to upgrade to 2.16.0.
If you build vitess from source #
Update the dependency in
You can see an example here.
If you download vitess artifacts from maven-central #
We have released new artifacts for the supported releases.