Apache Log4j Vulnerability: Dremio Is Not Affected

A very serious vulnerability in the popular Java-based logging package Log4j was disclosed on December 9, 2021. This vulnerability allows an attacker to execute code on a remote server; a so-called Remote Code Execution (RCE).

Be advised that Dremio Software is NOT AFFECTED by this Apache Log4j vulnerability. Dremio uses logback for its logging framework. Logback is a fork of log4j from the 1.x version. Log4j 1.x is not impacted by the CVE-2021-44228

Vulnerability: CVE-2021-44228

Published Date: 12/10/2021

Dremio takes security extremely seriously and it’s embedded in our DNA. Both for our Dremio Software and Dremio Cloud offerings we build everything with security in mind and prioritize accordingly.

The information below will address any remaining concerns regarding naming convention with log4j related packages that we bundle with Dremio Software:

• org.slf4j:log4j-over-slf4j:1.7.28
  • This is the bridging module that redirects calls made to log4j to slf4j.
  • Dremio Software uses Logback (not log4j) with slf4j.
• org.apache.logging.log4j:log4j-1.2-api:2.13.3
  • Log4j API packages do not include the vulnerability
• org.apache.logging.log4j:log4j-api:2.13.3 Log4j API packages do not include the vulnerability
• org.apache.logging.log4j:log4j-to-slf4j:2.13.3
  • This is the bridging module that redirects calls made to log4j to slf4j.
  • Dremio uses Logback (not log4j) with slf4j.

Versions of the log4j named libraries bundled with different Dremio Software versions might be different, but none of them are vulnerable to CVE-2021-44228

Dremio scans all our builds with OWASP Dependency-Check every day. The results for the scans are also negative for our builds.

If you have questions, please contact Dremio Support via the Support Portal.