HomeTamr Core GuidesTamr Core API Reference
Tamr Core GuidesTamr Core API ReferenceTamr Core TutorialsEnrichment API ReferenceSupport Help CenterLog In

Updates on Apache Log4j Vulnerabilities

Last Updated: 12 Jan 2022, 5:00 pm EST (change history)

Our Commitment to Security

As soon as Tamr’s security team received notification from our security partners, we initiated an on-going comprehensive review of all Tamr software and third party dependencies related to Log4j.

Tamr recommends as industry best practice that Tamr Core instances are behind a firewall and actively scanned for unusual activity. Web Application Firewalls such as Google Cloud Armor and Cloudflare are also updating their rules to detect and block these attacks.

Additionally, see the Log4j in Tamr's Third-Party Systems section below for statements from Tamr's third-party vendors and cloud providers regarding their ongoing analysis and potential mitigation for this vulnerability.

Tamr is actively working on or has delivered remediation for these vulnerabilities, and is planning to release patch versions as soon as possible that will address these vulnerabilities:

  • Apache Log4j CVE-2021-44832 - classified as "Moderate" with a CVSS score of 6.6 out of 10. Tamr customers are not materially affected; Tamr is investigating future potential remediation if any.
  • Apache Log4j CVE-2021-45105 - classified as "High severity" with a CVSS score of 7.5 out of 10. Tamr customers are not materially affected; however Tamr will be issuing a patch to address this CVE in Tamr Core.
  • Apache Log4j CVE-2021-45046 - classified as “Critical” with a CVSS score of 9.0 out of 10, allowing for Remote Code Execution with system-level privileges. There are two separate vulnerabilities that need to be addressed:
    • In Tamr Core - Tamr will be issuing a patch to address this CVE in Tamr Core.
    • In Elasticsearch - either follow the steps in Replace Elasticsearch Packages or install the patch that will be issued by Tamr. Either of these will remediate the vulnerability in Elasticsearch.
  • Apache Log4j CVE-2021-44228 - classified as “Critical” with a CVSS score of 10 out of 10, allowing for Remote Code Execution with system-level privileges.
    If you have not yet done so, follow the instructions below for this CVE to fully addresses this critical vulnerability.
  • Apache Log4j CVE-2021-4104 - classified as “High severity” with a CVSS score of 7.5 out of 10. Tamr Core is not subject to this vulnerability. This vulnerability is specific to JMSAppender in Log4j 1.2, and the Log4j configuration provided with Tamr core does not use the JMSAppender. (More information on CVE-2021-4101.)

Note: If you were planning an upgrade to an existing patch release, you should (a) wait on upgrading to a new patch and (b) remediate CVE-2021-44228 while Tamr compiles a new patch for these vulnerabilities. See the Tamr Core Patch Releases section.

Apache Log4j CVE-2021-44832 Vulnerability

On December 28, 2021, Apache published vulnerability CVE-2021-44832 for Apache Log4j2. This vulnerability is rated 6.6 out of a maximum of 10 on the CVSS rating system.

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Tamr customers are not materially affected since this vulnerability depends on a specific configuration that Tamr does NOT ship. Apache Log4j2 versions including 2.17.0 are vulnerable to RCE with malicious JDBC configuration. Tamr does not ship with this JDBC configuration. 2.17.1 has been released by Apache.

Apache Log4j CVE-2021-45105 Vulnerability

On December 18, 2021, Apache published vulnerability CVE-2021-45105 for Apache Log4j2. This vulnerability is rated 7.5 out of a maximum of 10 on the CVSS rating system.

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack. This issue was fixed in Log4j 2.17.0 and 2.12.3.

Tamr customers are not materially affected because neither the provided logging configuration for Tamr Core nor the provided logging configuration for Elasticsearch contain any of the affected patterns. Tamr is planning a patch that includes 2.17 which remedies all known Log4j vulnerabilities.

Apache Log4j CVE-2021-45046 Vulnerability

On December 14th 2021, Apache published an update from the reported CVE-2021-45046 vulnerability.

This vulnerability is rated 9.0 out of a maximum of 10 on the CVSS rating system and affects all versions of Log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0, which the project maintainers shipped last week to address a critical remote code execution vulnerability (CVE-2021-44228) that could be abused to infiltrate and take over systems.

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack and possible remote code execution. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

We are actively investigating this issue. For this vulnerability, Tamr will be issuing a patch and depending on your release, you may need to do a minor upgrade to fix this vulnerability. Until the patch is available, complete the steps in Replace Elasticsearch Packages for remediation in Elasticsearch.

Note: Tamr Core auxiliary services will also need remediation. Tamr will update this note or contact you directly to address this.

Apache Log4j CVE-2021-44228 Vulnerability

On December 9th 2021, Apache published a zero-day vulnerability (CVE-2021-44228) for Apache Log4j2, being referred to as “Log4Shell”. This vulnerability has been classified as “Critical” with a CVSS score of 10, allowing for Remote Code Execution with system-level privileges.

When exploited, this vulnerability allows an attacker to run arbitrary code on the device, giving full control over to the attacker. Therefore, any device exploited should be considered compromised, potentially along with any devices that trusted the compromised device.

We are actively responding to the reported remote code execution vulnerability in the Apache Log4j 2 Java library dubbed Log4Shell (or LogJam). We are investigating and taking action for Tamr solutions that may be potentially impacted, and will continually publish information to help customers detect, investigate and mitigate attacks.

The result of this review is that Tamr Core includes vulnerable versions of the log4j library, and customers should take the immediate actions below to mitigate this exposure.

Apply Advice from Apache Software Foundation

You can immediately address this issue by following the advice in the security statement from the Apache Software Foundation. You can do this either by running a Tamr-provided script or following the manual steps below.

Note: Java-based Tamr auxiliary services are remediated by both the script and manual steps.

After running the script or applying the manual steps, Replace Elasticsearch Packages (optional but recommended for this CVE).

Request Script

Tamr has a script that can be run on Tamr Core servers to remediate the vulnerability, replacing the Manual Steps below. Please contact Tamr Support ([email protected]) to download the script and instructions on how to run it in your environments. We strongly recommend using this script; alternatively, you can follow the manual steps listed below.

Manual Steps

To address this issue by following the advice in the security statement from the Apache Software Foundation:

  1. Stop Tamr Core and its dependencies:
    • stop-unify.sh
    • stop-dependencies.sh
  2. Edit tamr/start-dependencies.sh to add as line 2:
    • export LOG4J_FORMAT_MSG_NO_LOOKUPS=true
  3. Edit tamr/start-unify.sh to add as line 2:
    • export LOG4J_FORMAT_MSG_NO_LOOKUPS=true
  4. Restart Tamr Core and its dependencies:
    • start-dependencies.sh
    • start-unify.sh

The version of Elasticsearch used for Tamr Core’s logging ELK stack is also vulnerable, but the Tamr Core ELK stack is disabled by default on all Tamr Core installations. You can confirm that the Tamr Core ELK stack is disabled by running:
utils/unify-admin.sh config:get TAMR_ELK_ENABLED.

If this returns “TAMR_ELK_ENABLED: false”, then Tamr Core’s logging ELK stack is disabled and no further action is necessary.

If this returns “TAMR_ELK_ENABLED: true”, then Tamr Core’s logging ELK stack can be disabled by:

  1. Stop Tamr Core and its dependencies:
    • stop-unify.sh
    • stop-dependencies.sh
  2. Modify the configuration:
    • start-zk.sh
    • utils/unify-admin.sh config:set TAMR_ELK_ENABLED=false
  3. Restart Tamr Core and its dependencies:
    • start-dependencies.sh
    • start-unify.sh

If you require Tamr Core’s logging ELK stack to be enabled, please contact Tamr Support ([email protected]) for further details for mitigation.

Replace Elasticsearch Packages

CVE-2021-45056: Tamr will be releasing a patch to address this CVE in Tamr Core; until this patch is available, complete the steps in this section for remediation in Elasticsearch.

CVE-2021-45105 and CVE-2021-44228: The steps in this section are optional but recommended for CVE-2021-45105 and CVE-2021-22448. With the manual steps in place or with the script run, the risk from CVE-2021-44228 is mitigated. However, vulnerability scans may still report that vulnerable packages are installed on the Tamr system. To address these warnings, the vulnerable packages for Elasticsearch can be replaced by the most recent release from Apache

Install version 2.17.0 or later of the log4j package from the Apache download site. If you have installed a prior version of Log4j due to CVE-2021-44228 or CVE-2021-45056, we recommend upgrading to 2.17.0. Once you have downloaded and unpacked this release, please follow the steps below to replace Elasticsearch packages with the 2.17.0 version:

  1. Verify your Apache download’s checksum and signatures following Apache’s instructions.

  2. Stop Tamr Core and dependencies:

    • stop-unify.sh
    • stop-dependencies.sh
  3. Replace the following 7 files with their updated equivalents (note that the elasticsearch directories are in the parent directory of the tamr directory):

    • elasticsearch-5.6.3/lib/log4j-api-2.9.1.jar
    • elasticsearch-5.6.3/lib/log4j-1.2-api-2.9.1.jar
    • elasticsearch-5.6.3/lib/log4j-core-2.9.1.jar
    • elasticsearch-with-plugins-6.8.2/lib/log4j-api-2.11.1.jar
    • elasticsearch-with-plugins-6.8.2/lib/log4j-1.2-api-2.11.1.jar
    • elasticsearch-with-plugins-6.8.2/lib/log4j-core-2.11.1.jar
    • elasticsearch-with-plugins-6.8.2/plugins/repository-hdfs/log4j-slf4j-impl-2.11.1.jar

    For example, if updating to version 2.17.0, the replacements would be:

Replace this file

With this file

elasticsearch-5.6.3/lib/log4j-api-2.9.1.jar

elasticsearch-5.6.3/lib/log4j-api-2.17.0.jar

elasticsearch-5.6.3/lib/log4j-1.2-api-2.9.1.jar

elasticsearch-5.6.3/lib/log4j-1.2-api-2.17.0.jar

elasticsearch-5.6.3/lib/log4j-core-2.9.1.jar

elasticsearch-5.6.3/lib/log4j-core-2.17.0.jar

elasticsearch-with-plugins-6.8.2/lib/log4j-api-2.11.1.jar

elasticsearch-with-plugins-6.8.2/lib/log4j-api-2.17.0.jar

elasticsearch-with-plugins-6.8.2/lib/log4j-1.2-api-2.11.1.jar

elasticsearch-with-plugins-6.8.2/lib/log4j-1.2-api-2.17.0.jar

elasticsearch-with-plugins-6.8.2/lib/log4j-core-2.11.1.jar

elasticsearch-with-plugins-6.8.2/lib/log4j-core-2.17.0.jar

elasticsearch-with-plugins-6.8.2/plugins/repository-hdfs/log4j-slf4j-impl-2.11.1.jar

elasticsearch-with-plugins-6.8.2/plugins/repository-hdfs/log4j-slf4j-impl-2.17.0.jar

  1. Restart Tamr Core and its dependencies:
    • start-dependencies.sh
    • start-unify.sh

Log4j in Tamr's Third-Party Systems

Software Vendors

In addition to third-party libraries, the Tamr system incorporates many third-party systems. We have been monitoring statements from the vendors of these systems to ensure that we take appropriate action with respect to the Log4j CVEs.

Vendor

Statement

Apache Software Foundation

The Apache Software Foundation issued a comprehensive security statement: https://blogs.apache.org/security/entry/cve-2021-44228.

  • Apache Hadoop (including HBase) - Not affected
  • Apache Spark (including Yarn) - Not affected
  • Apache Zookeeper - Not affected

Elasticsearch

Elasticsearch issued a comprehensive security statement: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476.

  • Elasticsearch 6 on JDK8 - Affected, included in remediation
  • Elasticsearch 5 on JDK8 - Affected, included in remediation
  • Beats - Not affected
  • Kibana - Not affected

Grafana

Grafana issued a statement:
https://grafana.com/blog/2021/12/14/grafana-labs-core-products-not-impacted-by-log4j-cve-2021-44228-and-related-vulnerabilities/.

  • Grafana - Not affected

Prometheus

Prometheus is implemented in Go, not Java, and is therefore not affected. The various prometheus exporters provided with Tamr are also implemented in Go, not Java, and are therefore not affected.

PostgreSQL

PostgreSQL is implemented in C, not Java, and is therefore not affected.

Nginx

Nginx is implemented in C, not Java, and is therefore not affected.

Multilog

Multilog is implemented in C, not Java, and is therefore not affected.

Cloud Providers

When deployed in a cloud native configuration, the Tamr system replaces some of these third-party software packages with cloud services.

Cloud Provider

Statement

AWS

Amazon Web Services issued a comprehensive statement: https://aws.amazon.com/security/security-bulletins/AWS-2021-006/.

  • EMR - the services used by Tamr may be affected; customers should upgrade their EMR clusters when the patched versions are available
  • OpenSearch - Affected; AWS has automatically updated these services as of December 15th
  • RDS - The PostgreSQL RDS is not affected
  • S3 - Amazon S3 completed patching for the Apache Log4j2 issue

Depending on deployment configuration, customers may use other AWS services that are affected.

Azure

Microsoft issued a comprehensive statement: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/.

  • HDInsight - Affected; Azure is auto-patching HDInsight for customers who have automatic updates enabled.

Depending on deployment configuration, customers may use other Azure services that are affected.

Databricks

Databricks issued a comprehensive statement: https://databricks.com/blog/2021/12/13/log4j2-vulnerability-cve-2021-44228-research-and-assessment.html.

  • Databricks Spark - Not affected

GCP

Google Cloud Platform issued a comprehensive statement: ​​https://cloud.google.com/log4j2-security-advisory.

  • Dataproc - Affected. Customers must upgrade their Dataproc clusters.
  • CloudSQL - The Postgres personality is not affected.

Depending on deployment configuration, customers may use other GCP services that are affected.

We will further update this guidance as we continue to learn from our investigation.

Tamr Core Patch Releases

Patched versions of Tamr Core are in progress to address the following Apache Log4j vulnerabilities:

  • Apache Log4j CVE-2021-45105
  • Apache Log4j CVE-2021-45046
  • Apache Log4j CVE-2021-44228

The patched versions will fully remediate these vulnerabilities in Tamr Core and Elasticsearch by updating Tamr Core to use Apache Log4j version 2.17.0.

Tamr Support will contact you when a patch that is applicable to your Tamr release is available.

importantimportant Important: Be sure to install the patch for the version of Tamr Core that your system is running regardless of whether you previously took the remediation steps in this article.

Change History

Date/Time

Change Summary

11 Jan 2022, 5:00 pm EST

Added statement for Apache Log4j CVE-2021-4104. Tamr Core is not subject to this vulnerability.

29 Dec 2021, 10:15 am EST

Added the CVE-2021-44832 section.

27 Dec 2021, 2:00 pm EST

Updated the Replace Elasticsearch Packages instructions to restore the original destination directory for the log4j-slf4j-impl-2.17.0.jar file.

23 Dec 2021, 12:30 pm EST

Updated the Replace Elasticsearch Packages instructions to correct the destination directory for the log4j-slf4j-impl-2.17.0.jar file. This file should be installed in a directory that is different than the file it replaces. The location of this file does not affect how Elasticsearch starts and runs. When you update to a patched version, the location of this file will be verified and corrected automatically.

22 Dec 2021, 4:30 pm EST

Added the Tamr Core Patch Releases section.

20 Dec 2021, 5:00 pm EST

Clarified that for CVE-2021-45046, there are two separate vulnerabilities that needs to be addressed:
- In Tamr Core - Tamr will be issuing a patch to address this CVE in Tamr Core.
- In Elasticsearch - customers can either follow the steps in Replace Elasticsearch Packages or install the patch that will be issued by Tamr. Either of these will remediate the vulnerability in Elasticsearch.

20 Dec 2021, 11:30 am EST

Added summary and statement for CVE-2021-45105.

Updated "Replacing Elasticsearch Packages" remediation steps to recommend replacing the packages with version 2.17.0 or later. If you have installed a prior version of Log4j due to CVE-2021-44228 or CVE-2021-45056, Tamr recommends upgrading to 2.17.0.

17 Dec 2021, 5:30 pm EST

For CVE-2021-45046, clarified that users should replace Elasticsearch packages for remediation in Elasticsearch until a Tamr Core patch is available.

Added section "Log4j in Tamr's Third-Party Systems" with statements from third-party vendors and cloud providers regarding Log4j CVEs.

17 Dec 2021, 4:15 pm EST

CVE-2021-45046 severity has been upgraded from 3.7 to 9.0 out of 10 on the CVSS rating system, allowing for Remote Code Execution with system-level privileges. Tamr is continuing to investigate this vulnerability.

17 Dec 2021, 1:00 pm EST

Provided an update on a planned patch release to address CVE-2021-45046.

Clarified that replacing Elasticsearch packages is optional:

  • For CVE-2021-22448, complete the steps to address vulnerability scan reports that vulnerable packages are installed on the Tamr system.
  • For CVE-2021-45046, complete the steps if you require mitigation before a Tamr patch is available.

16 Dec 2021, 3:00 pm EST

General: Clarity on severity on each issue and which issues are remediated or still in-progress. Added a note re: Tamr Core auxiliary services.

For CVE-2021-45046, clarified severity (not-critical) and future patch availability.

For CVE-2021-44228, clarified the steps to remediate the vulnerability.

16 Dec 2021, 7:45 am EST

For CVE-2021-44228, clarified that replacing Elasticsearch packages is needed after running the Tamr-provided remediation script.

15 Dec 2021, 2:30 pm EST

Investigating newly identified vulnerability, CVE-2021-45046.

Updated "Replacing Elasticsearch Packages" remediation steps for CVE-2021-44228:

  • Replacing Elasticsearch packages is now required.
  • Required log4j package version is 2.16.0 or later.
  • Added link to verify your Apache download’s checksum and signatures.

Updated title to reflect multiple Log4j vulnerabilities.

14 Dec 2021, 4:30 pm EST

Script available from Tamr Support to remediate vulnerability CVE-2021-44228.

14 Dec 2021, 12:00 pm EST

Provided steps to remediate vulnerability CVE-2021-44228.

13 Dec, 2021, 2:30 pm EST

Initial version.