• Apache Spark (including Yarn) - Not affected
• Apache Zookeeper - Not affected
• Apache Hadoop (including HBase) - Not affected

  Additional details for Hadoop:

  At this time, all released versions of Hadoop use Log4j 1.2. See the known security vulnerabilities in Log4j1 on the Log4j1 Security page: https://logging.apache.org/log4j/1.2/. The Log4j1 configuration provided by Tamr does not use any of the vulnerable appenders, sinks, or optional components, ensuring that the Log4j1 vulnerabilities are not exploitable on Tamr systems.

If customers are concerned about the presence of these components on Tamr systems, Tamr can provide a tool to remove the vulnerable components. This does not impact the functionality of the Tamr system.

• Elasticsearch 6 on JDK8 - Affected, included in remediation
• Elasticsearch 5 on JDK8 - Affected, included in remediation
• Beats - Not affected
• Kibana - Not affected

https://grafana.com/blog/2021/12/14/grafana-labs-core-products-not-impacted-by-log4j-cve-2021-44228-and-related-vulnerabilities/.

• Grafana - Not affected

• EMR - the services used by Tamr may be affected; customers should upgrade their EMR clusters when the patched versions are available
• OpenSearch - Affected; AWS has automatically updated these services as of December 15th
• RDS - The PostgreSQL RDS is not affected
• S3 - Amazon S3 completed patching for the Apache Log4j2 issue

  Depending on deployment configuration, customers may use other AWS services that are affected.

• HDInsight - Affected; Azure is auto-patching HDInsight for customers who have automatic updates enabled.

  Depending on deployment configuration, customers may use other Azure services that are affected.

• Databricks Spark - Not affected

• Dataproc - Affected. Customers must upgrade their Dataproc clusters.
• CloudSQL - The Postgres personality is not affected.

  Depending on deployment configuration, customers may use other GCP services that are affected.

26 July 2022, 12:00 pm EDT

Updated to include details for available patches. Removed information and steps that are no longer applicable due to patch availability.

16 Feb 2022, 11:00 am EST

Updated the "Software Vendors]" table with details for Apache Hadoop's use of Log4j 1.2; Tamr Core is not subject to Log4j1 vulnerabilities.

11 Jan 2022, 5:00 pm EST

Added statement for Apache Log4j CVE-2021-4104. Tamr Core is not subject to this vulnerability.

29 Dec 2021, 10:15 am EST

Added the CVE-2021-44832 section.

27 Dec 2021, 2:00 pm EST

Updated the "Replace Elasticsearch Packages" instructions to restore the original destination directory for the log4j-slf4j-impl-2.17.0.jar file.

23 Dec 2021, 12:30 pm EST

Updated the "Replace Elasticsearch Packages" instructions to correct the destination directory for the log4j-slf4j-impl-2.17.0.jar file. This file should be installed in a directory that is different than the file it replaces. The location of this file does not affect how Elasticsearch starts and runs. When you update to a patched version, the location of this file will be verified and corrected automatically.

22 Dec 2021, 4:30 pm EST

Added the "Tamr Core Patch Releases" section.

20 Dec 2021, 5:00 pm EST

Clarified that for CVE-2021-45046, there are two separate vulnerabilities that needs to be addressed:
- In Tamr Core - Tamr will be issuing a patch to address this CVE in Tamr Core.
- In Elasticsearch - customers can either follow the steps in Replace Elasticsearch Packages or install the patch that will be issued by Tamr. Either of these will remediate the vulnerability in Elasticsearch.

20 Dec 2021, 11:30 am EST

Added summary and statement for CVE-2021-45105.

Updated "Replacing Elasticsearch Packages" remediation steps to recommend replacing the packages with version 2.17.0 or later. If you have installed a prior version of Log4j due to CVE-2021-44228 or CVE-2021-45056, Tamr recommends upgrading to 2.17.0.

17 Dec 2021, 5:30 pm EST

For CVE-2021-45046, clarified that users should replace Elasticsearch packages for remediation in Elasticsearch until a Tamr Core patch is available.

Added section "Log4j in Tamr's Third-Party Systems" with statements from third-party vendors and cloud providers regarding Log4j CVEs.

17 Dec 2021, 4:15 pm EST

CVE-2021-45046 severity has been upgraded from 3.7 to 9.0 out of 10 on the CVSS rating system, allowing for Remote Code Execution with system-level privileges. Tamr is continuing to investigate this vulnerability.

17 Dec 2021, 1:00 pm EST

Provided an update on a planned patch release to address CVE-2021-45046.

Clarified that replacing Elasticsearch packages is optional:

• For CVE-2021-22448, complete the steps to address vulnerability scan reports that vulnerable packages are installed on the Tamr system.
• For CVE-2021-45046, complete the steps if you require mitigation before a Tamr patch is available.

16 Dec 2021, 3:00 pm EST

General: Clarity on severity on each issue and which issues are remediated or still in-progress. Added a note re: Tamr Core auxiliary services.

For CVE-2021-45046, clarified severity (not-critical) and future patch availability.

For CVE-2021-44228, clarified the steps to remediate the vulnerability.

16 Dec 2021, 7:45 am EST

For CVE-2021-44228, clarified that replacing Elasticsearch packages is needed after running the Tamr-provided remediation script.

15 Dec 2021, 2:30 pm EST

Investigating newly identified vulnerability, CVE-2021-45046.

Updated "Replacing Elasticsearch Packages" remediation steps for CVE-2021-44228:

• Replacing Elasticsearch packages is now required.
• Required log4j package version is 2.16.0 or later.
• Added link to verify your Apache download’s checksum and signatures.

Updated title to reflect multiple Log4j vulnerabilities.