Feedback
Did this article resolve your question/issue?

   

Article

Is Hybrid Data Pipeline vulnerable to CVE-2021-44228 (Log4j)?

« Go Back

Information

 
TitleIs Hybrid Data Pipeline vulnerable to CVE-2021-44228 (Log4j)?
URL NameIs-Hybrid-Data-Pipeline-vulnerable-CVE-2021-44228-Log4j
Article Number000206957
Information
Is Hybrid Data Pipeline vulnerable to CVE-2021-44228 (Log4j)?
The answer varies based upon the version of HDP in use.

Latest Release (HDP 4.6.1.311):
Hybrid Data Pipeline (HDP) version 4.6.1.311 includes Log4j version 2.17.0 which addresses CVE-2021-44228
Hybrid Data Pipeline (HDP) On-Premises Connector (OPC) does not use log4j and is not vulnerable to CVE-2021-44228. 
The OPC install package contains a support tool, HDP JDBC Verification Tool, that uses log4j2.  The JDBC Verification Tool has been updated to use log4j 2.17 in the latest HDP OPC patch (4.6.1.91).  It addresses CVE-2021-44228.

Past HDP Releases:
Hybrid Data Pipeline Build 306 includes Log4j version 2.15.0 which addresses the CVE-2021-44228 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).  Apache has since released log4j 2.17.
Hybrid Data Pipeline (HDP) On-Premises Connector (OPC) does not use log4j and is not vulnerable to CVE-2021-44228. 
The OPC install package contains a support tool, HDP JDBC Verification Tool, that uses log4j2.  The JDBC Verification Tool has been updated to use log4j 2.15 in HDP OPC patch (4.6.1.85).  It addresses CVE-2021-44228.  Apache has since released log4j 2.17.

Builds 296 and earlier of the Hybrid Data Pipeline (HDP) 4.6.1 release use Log4j version 2.13.3.   HDP version 4.6.1.296 and prior versions are vulnerable to the attack listed in CVE-2021-44228 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).

Our general guidance is to update to the latest version of HDP. Another way to mitigate this vulnerability is to modify the HDP configuration to set the  log4j2.formatMsgNoLookups Java system property to true as explained in the steps below.
  1. Make a backup copy of the setenv.sh in the <hdp_install_dir>/ddcloud/das/server/bin directory. 
  2. Edit the original setenv.sh file to add the log4j2.formatMsgNoLookups property to the JAVA_OPTS variable.  The updated entry will look something like: 
 export JAVA_OPTS="-DDDTEK.installDir=$INSTALL_DIR \
-Djavax.net.ssl.keyStore=${KEYSTORE}/ddcloud.jks \
-Djavax.net.ssl.keyStorePassword=******* \
-Dmodule.core.status=ddcloud \
-Dmodule.core.status=ddcloud \
-DDDTEK.enableClassLoaderWorkaround=false \
-Duser.timezone=GMT \
-DDDTEK.includeFinalizers=false \
-Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.config \
-Dlog4j2.formatMsgNoLookups=true \
-XX:+HeapDumpOnOutOfMemoryError \
-XX:HeapDumpPath=\"$INSTALL_DIR/heapdumps/java_$(date +%Y%m%d_%H%M%S).hprof\""
 
  1. Save the changes to setenv.sh and restart HDP.
Hybrid Data Pipeline (HDP) version 4.6.0 and lower are not impacted by CVE-2021-44228 because they are not using Log4j version 2.x. 
Additional Information
For additional information on this vulnerability as it relates to other Progress products, refer to the Progress Security Center: https://www.progress.com/security

References: 
EnvironmentHybrid Data Pipeline 4.6.1
Last Modified Date12/21/2021 12:10 AM
Attachment 
Files
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.