Last Updated: 26 July 2022, 12:00 pm ET (change history)
As soon as Tamr’s security team received notification from our security partners, we initiated an on-going comprehensive review of all Tamr software and third party dependencies related to Log4j.
Tamr has delivered patch versions that remediate the vulnerabilities listed below. Additionally, all Tamr Core versions v2021.021.0 and later include this remediation.
- Apache Log4j CVE-2021-45046 - classified as “Critical” with a CVSS score of 9.0 out of 10, allowing for Remote Code Execution with system-level privileges. The patches issued by Tamr remediate the vulnerability in Tamr Core and Elasticsearch.
- Apache Log4j CVE-2021-44228- classified as “Critical” with a CVSS score of 10 out of 10, allowing for Remote Code Execution with system-level privileges. The patches issued by Tamr remediate the vulnerability in Tamr Core.
If you have not yet done so, follow the instructions below for this CVE to fully address this critical vulnerability.
- Apache Log4j CVE-2021-45105 - classified as "High severity" with a CVSS score of 7.5 out of 10. While Tamr customers are not materially affected, the Tamr Core patches address this CVE.
Tamr Core is not subject to the following additional vulnerabilities:
- Apache Log4j CVE-2021-4101 - classified as “High severity” with a CVSS score of 7.5 out of 10. Tamr Core is not subject to this vulnerability. This vulnerability is specific to JMSAppender in Log4j 1.2, and the Log4j configuration provided with Tamr core does not use the JMSAppender.
- Apache Log4j CVE-2021-44832 - classified as "Moderate" with a CVSS score of 6.6 out of 10. Tamr customers are not materially affected.
Additionally, see the "Tamr Core Releases to Address Apache Log4j Vulnerabilities" section below for statements from Tamr's third-party vendors and cloud providers regarding their analysis of these vulnerabilities.
Tamr recommends as industry best practice that Tamr Core instances are behind a firewall and actively scanned for unusual activity. Web Application Firewalls such as Google Cloud Armor and Cloudflare have updated their rules to detect and block these attacks.
Starting with Tamr release v2021.021.0, all releases use Apache Log4j version 2.17.0, which remedies all known Log4j vulnerabilities.
Additionally, patched versions of Tamr Core are available to address the following Apache Log4j vulnerabilities:
- Apache Log4j CVE-2021-45105
- Apache Log4j CVE-2021-45046
- Apache Log4j CVE-2021-44228
The patched versions fully remediate these vulnerabilities in Tamr Core and Elasticsearch by updating Tamr Core to use Apache Log4j version 2.17.0.
Important: Be sure to install the patch for the version of Tamr Core that your system is running regardless of whether you previously took the remediation steps in this article.
Note: Tamr also remediated the vulnerabilities in the Tamr Core auxiliary services. Tamr contacted impacted customers directly to provide the necessary update.
In addition to third-party libraries, the Tamr system incorporates many third-party systems. We have been monitoring statements from the vendors of these systems to ensure that we take appropriate action with respect to the Log4j CVEs.
|Apache Software Foundation
|The Apache Software Foundation issued a comprehensive security statement: https://blogs.apache.org/security/entry/cve-2021-44228.
If customers are concerned about the presence of these components on Tamr systems, Tamr can provide a tool to remove the vulnerable components. This does not impact the functionality of the Tamr system.
|Elasticsearch issued a comprehensive security statement: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476.
|Grafana issued a statement:
|Prometheus is implemented in Go, not Java, and is therefore not affected. The various prometheus exporters provided with Tamr are also implemented in Go, not Java, and are therefore not affected.
|PostgreSQL is implemented in C, not Java, and is therefore not affected.
|Nginx is implemented in C, not Java, and is therefore not affected.
|Multilog is implemented in C, not Java, and is therefore not affected.
When deployed in a cloud native configuration, the Tamr system replaces some of these third-party software packages with cloud services.
|Amazon Web Services issued a comprehensive statement: https://aws.amazon.com/security/security-bulletins/AWS-2021-006/.
|Microsoft issued a comprehensive statement: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/.
|Databricks issued a comprehensive statement: https://databricks.com/blog/2021/12/13/log4j2-vulnerability-cve-2021-44228-research-and-assessment.html.
|Google Cloud Platform issued a comprehensive statement: https://cloud.google.com/log4j2-security-advisory.
26 July 2022, 12:00 pm EDT
Updated to include details for available patches. Removed information and steps that are no longer applicable due to patch availability.
16 Feb 2022, 11:00 am EST
Updated the "Software Vendors]" table with details for Apache Hadoop's use of Log4j 1.2; Tamr Core is not subject to Log4j1 vulnerabilities.
11 Jan 2022, 5:00 pm EST
Added statement for Apache Log4j CVE-2021-4104. Tamr Core is not subject to this vulnerability.
29 Dec 2021, 10:15 am EST
Added the CVE-2021-44832 section.
27 Dec 2021, 2:00 pm EST
Updated the "Replace Elasticsearch Packages" instructions to restore the original destination directory for the log4j-slf4j-impl-2.17.0.jar file.
23 Dec 2021, 12:30 pm EST
Updated the "Replace Elasticsearch Packages" instructions to correct the destination directory for the log4j-slf4j-impl-2.17.0.jar file. This file should be installed in a directory that is different than the file it replaces. The location of this file does not affect how Elasticsearch starts and runs. When you update to a patched version, the location of this file will be verified and corrected automatically.
22 Dec 2021, 4:30 pm EST
Added the "Tamr Core Patch Releases" section.
20 Dec 2021, 5:00 pm EST
Clarified that for CVE-2021-45046, there are two separate vulnerabilities that needs to be addressed:
20 Dec 2021, 11:30 am EST
Added summary and statement for CVE-2021-45105.
Updated "Replacing Elasticsearch Packages" remediation steps to recommend replacing the packages with version 2.17.0 or later. If you have installed a prior version of Log4j due to CVE-2021-44228 or CVE-2021-45056, Tamr recommends upgrading to 2.17.0.
17 Dec 2021, 5:30 pm EST
For CVE-2021-45046, clarified that users should replace Elasticsearch packages for remediation in Elasticsearch until a Tamr Core patch is available.
Added section "Log4j in Tamr's Third-Party Systems" with statements from third-party vendors and cloud providers regarding Log4j CVEs.
17 Dec 2021, 4:15 pm EST
CVE-2021-45046 severity has been upgraded from 3.7 to 9.0 out of 10 on the CVSS rating system, allowing for Remote Code Execution with system-level privileges. Tamr is continuing to investigate this vulnerability.
17 Dec 2021, 1:00 pm EST
Provided an update on a planned patch release to address CVE-2021-45046.
Clarified that replacing Elasticsearch packages is optional:
16 Dec 2021, 3:00 pm EST
General: Clarity on severity on each issue and which issues are remediated or still in-progress. Added a note re: Tamr Core auxiliary services.
For CVE-2021-45046, clarified severity (not-critical) and future patch availability.
For CVE-2021-44228, clarified the steps to remediate the vulnerability.
16 Dec 2021, 7:45 am EST
For CVE-2021-44228, clarified that replacing Elasticsearch packages is needed after running the Tamr-provided remediation script.
15 Dec 2021, 2:30 pm EST
Investigating newly identified vulnerability, CVE-2021-45046.
Updated "Replacing Elasticsearch Packages" remediation steps for CVE-2021-44228:
Updated title to reflect multiple Log4j vulnerabilities.
|14 Dec 2021, 4:30 pm EST
|Script available from Tamr Support to remediate vulnerability CVE-2021-44228.
|14 Dec 2021, 12:00 pm EST
|Provided steps to remediate vulnerability CVE-2021-44228.
|13 Dec, 2021, 2:30 pm EST
Updated 8 months ago