User GuidesAPI ReferenceRelease NotesEnrichment APIs
Doc HomeHelp CenterLog In

Updates on Apache Log4j Vulnerabilities

Last Updated: 26 July 2022, 12:00 pm ET (change history)

Our Commitment to Security

As soon as Tamr’s security team received notification from our security partners, we initiated an on-going comprehensive review of all Tamr software and third party dependencies related to Log4j.

Tamr has delivered patch versions that remediate the vulnerabilities listed below. Additionally, all Tamr Core versions v2021.021.0 and later include this remediation.

  • Apache Log4j CVE-2021-45046 - classified as “Critical” with a CVSS score of 9.0 out of 10, allowing for Remote Code Execution with system-level privileges. The patches issued by Tamr remediate the vulnerability in Tamr Core and Elasticsearch.
  • Apache Log4j CVE-2021-44228- classified as “Critical” with a CVSS score of 10 out of 10, allowing for Remote Code Execution with system-level privileges. The patches issued by Tamr remediate the vulnerability in Tamr Core.
    If you have not yet done so, follow the instructions below for this CVE to fully address this critical vulnerability.
  • Apache Log4j CVE-2021-45105 - classified as "High severity" with a CVSS score of 7.5 out of 10. While Tamr customers are not materially affected, the Tamr Core patches address this CVE.

Tamr Core is not subject to the following additional vulnerabilities:

  • Apache Log4j CVE-2021-4101 - classified as “High severity” with a CVSS score of 7.5 out of 10. Tamr Core is not subject to this vulnerability. This vulnerability is specific to JMSAppender in Log4j 1.2, and the Log4j configuration provided with Tamr core does not use the JMSAppender.
  • Apache Log4j CVE-2021-44832 - classified as "Moderate" with a CVSS score of 6.6 out of 10. Tamr customers are not materially affected.

Additionally, see the Log4j in Tamr's Third-Party Systems section below for statements from Tamr's third-party vendors and cloud providers regarding their analysis of these vulnerabilities.

Tamr recommends as industry best practice that Tamr Core instances are behind a firewall and actively scanned for unusual activity. Web Application Firewalls such as Google Cloud Armor and Cloudflare have updated their rules to detect and block these attacks.

Tamr Core Releases to Address Apache Log4j Vulnerabilities

Starting with Tamr release v2021.021.0, all releases use Apache Log4j version 2.17.0, which remedies all known Log4j vulnerabilities.

Additionally, patched versions of Tamr Core are available to address the following Apache Log4j vulnerabilities:

  • Apache Log4j CVE-2021-45105
  • Apache Log4j CVE-2021-45046
  • Apache Log4j CVE-2021-44228

The patched versions fully remediate these vulnerabilities in Tamr Core and Elasticsearch by updating Tamr Core to use Apache Log4j version 2.17.0.

Important: Be sure to install the patch for the version of Tamr Core that your system is running regardless of whether you previously took the remediation steps in this article.

Available patches:

  • v2021.020.2
  • v2021.006.4
  • v2021.002.4
  • v2020.024.3
  • v2020.016.7
  • v2020.012.1
  • v2020.004.3
  • v2019.019.2

Note: Tamr also remediated the vulnerabilities in the Tamr Core auxiliary services. Tamr contacted impacted customers directly to provide the necessary update.

Log4j in Tamr's Third-Party Systems

Software Vendors

In addition to third-party libraries, the Tamr system incorporates many third-party systems. We have been monitoring statements from the vendors of these systems to ensure that we take appropriate action with respect to the Log4j CVEs.

Vendor Statement
Apache Software Foundation The Apache Software Foundation issued a comprehensive security statement: https://blogs.apache.org/security/entry/cve-2021-44228.
  • Apache Spark (including Yarn) - Not affected
  • Apache Zookeeper - Not affected
  • Apache Hadoop (including HBase) - Not affected

    Additional details for Hadoop:

    At this time, all released versions of Hadoop use Log4j 1.2. See the known security vulnerabilities in Log4j1 on the Log4j1 Security page: https://logging.apache.org/log4j/1.2/. The Log4j1 configuration provided by Tamr does not use any of the vulnerable appenders, sinks, or optional components, ensuring that the Log4j1 vulnerabilities are not exploitable on Tamr systems.

If customers are concerned about the presence of these components on Tamr systems, Tamr can provide a tool to remove the vulnerable components. This does not impact the functionality of the Tamr system.

Elasticsearch Elasticsearch issued a comprehensive security statement: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476.
  • Elasticsearch 6 on JDK8 - Affected, included in remediation
  • Elasticsearch 5 on JDK8 - Affected, included in remediation
  • Beats - Not affected
  • Kibana - Not affected
Grafana Grafana issued a statement:

https://grafana.com/blog/2021/12/14/grafana-labs-core-products-not-impacted-by-log4j-cve-2021-44228-and-related-vulnerabilities/.

  • Grafana - Not affected
Prometheus Prometheus is implemented in Go, not Java, and is therefore not affected. The various prometheus exporters provided with Tamr are also implemented in Go, not Java, and are therefore not affected.
PostgreSQL PostgreSQL is implemented in C, not Java, and is therefore not affected.
Nginx Nginx is implemented in C, not Java, and is therefore not affected.
Multilog Multilog is implemented in C, not Java, and is therefore not affected.

Cloud Providers

When deployed in a cloud native configuration, the Tamr system replaces some of these third-party software packages with cloud services.

Cloud Provider Statement
AWS Amazon Web Services issued a comprehensive statement: https://aws.amazon.com/security/security-bulletins/AWS-2021-006/.
  • EMR - the services used by Tamr may be affected; customers should upgrade their EMR clusters when the patched versions are available
  • OpenSearch - Affected; AWS has automatically updated these services as of December 15th
  • RDS - The PostgreSQL RDS is not affected
  • S3 - Amazon S3 completed patching for the Apache Log4j2 issue

    Depending on deployment configuration, customers may use other AWS services that are affected.

Azure Microsoft issued a comprehensive statement: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/.
  • HDInsight - Affected; Azure is auto-patching HDInsight for customers who have automatic updates enabled.

    Depending on deployment configuration, customers may use other Azure services that are affected.

Databricks Databricks issued a comprehensive statement: https://databricks.com/blog/2021/12/13/log4j2-vulnerability-cve-2021-44228-research-and-assessment.html.
  • Databricks Spark - Not affected
GCP Google Cloud Platform issued a comprehensive statement: ​​https://cloud.google.com/log4j2-security-advisory.
  • Dataproc - Affected. Customers must upgrade their Dataproc clusters.
  • CloudSQL - The Postgres personality is not affected.

    Depending on deployment configuration, customers may use other GCP services that are affected.

Change History

Date/Time

Change Summary

26 July 2022, 12:00 pm EDT

Updated to include details for available patches. Removed information and steps that are no longer applicable due to patch availability.

16 Feb 2022, 11:00 am EST

Updated the "Software Vendors]" table with details for Apache Hadoop's use of Log4j 1.2; Tamr Core is not subject to Log4j1 vulnerabilities.

11 Jan 2022, 5:00 pm EST

Added statement for Apache Log4j CVE-2021-4104. Tamr Core is not subject to this vulnerability.

29 Dec 2021, 10:15 am EST

Added the CVE-2021-44832 section.

27 Dec 2021, 2:00 pm EST

Updated the "Replace Elasticsearch Packages" instructions to restore the original destination directory for the log4j-slf4j-impl-2.17.0.jar file.

23 Dec 2021, 12:30 pm EST

Updated the "Replace Elasticsearch Packages" instructions to correct the destination directory for the log4j-slf4j-impl-2.17.0.jar file. This file should be installed in a directory that is different than the file it replaces. The location of this file does not affect how Elasticsearch starts and runs. When you update to a patched version, the location of this file will be verified and corrected automatically.

22 Dec 2021, 4:30 pm EST

Added the "Tamr Core Patch Releases" section.

20 Dec 2021, 5:00 pm EST

Clarified that for CVE-2021-45046, there are two separate vulnerabilities that needs to be addressed:
- In Tamr Core - Tamr will be issuing a patch to address this CVE in Tamr Core.
- In Elasticsearch - customers can either follow the steps in Replace Elasticsearch Packages or install the patch that will be issued by Tamr. Either of these will remediate the vulnerability in Elasticsearch.

20 Dec 2021, 11:30 am EST

Added summary and statement for CVE-2021-45105.

Updated "Replacing Elasticsearch Packages" remediation steps to recommend replacing the packages with version 2.17.0 or later. If you have installed a prior version of Log4j due to CVE-2021-44228 or CVE-2021-45056, Tamr recommends upgrading to 2.17.0.

17 Dec 2021, 5:30 pm EST

For CVE-2021-45046, clarified that users should replace Elasticsearch packages for remediation in Elasticsearch until a Tamr Core patch is available.

Added section "Log4j in Tamr's Third-Party Systems" with statements from third-party vendors and cloud providers regarding Log4j CVEs.

17 Dec 2021, 4:15 pm EST

CVE-2021-45046 severity has been upgraded from 3.7 to 9.0 out of 10 on the CVSS rating system, allowing for Remote Code Execution with system-level privileges. Tamr is continuing to investigate this vulnerability.

17 Dec 2021, 1:00 pm EST

Provided an update on a planned patch release to address CVE-2021-45046.

Clarified that replacing Elasticsearch packages is optional:

  • For CVE-2021-22448, complete the steps to address vulnerability scan reports that vulnerable packages are installed on the Tamr system.
  • For CVE-2021-45046, complete the steps if you require mitigation before a Tamr patch is available.

16 Dec 2021, 3:00 pm EST

General: Clarity on severity on each issue and which issues are remediated or still in-progress. Added a note re: Tamr Core auxiliary services.

For CVE-2021-45046, clarified severity (not-critical) and future patch availability.

For CVE-2021-44228, clarified the steps to remediate the vulnerability.

16 Dec 2021, 7:45 am EST

For CVE-2021-44228, clarified that replacing Elasticsearch packages is needed after running the Tamr-provided remediation script.

15 Dec 2021, 2:30 pm EST

Investigating newly identified vulnerability, CVE-2021-45046.

Updated "Replacing Elasticsearch Packages" remediation steps for CVE-2021-44228:

  • Replacing Elasticsearch packages is now required.
  • Required log4j package version is 2.16.0 or later.
  • Added link to verify your Apache download’s checksum and signatures.

Updated title to reflect multiple Log4j vulnerabilities.

14 Dec 2021, 4:30 pm EST

Script available from Tamr Support to remediate vulnerability CVE-2021-44228.

14 Dec 2021, 12:00 pm EST

Provided steps to remediate vulnerability CVE-2021-44228.

13 Dec, 2021, 2:30 pm EST

Initial version.