Dear valued customer,
As I am sure you are aware, on December 9th, a Critical Day 0 vulnerability was disclosed by Apache that affects Apache Log4j2 CVE-2021-44228. As a valued SingleStore customer, we wanted to reassure you that this vulnerability does not affect SingleStore in any way & to provide you clarification about it.
What is the Apache Log 4j2 JNDI Vulnerability?
From the NIST National Vulnerability Database: “Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.”
Does this affect SingleStore?
In short, no, this vulnerability does not affect SingleStore. The log4j library is a common library in the Java programming language, and SingleStore uses Java in only rare cases. SingleStore uses Apache Log 4j for HDFS Pipelines, a feature used for loading data from HDFS and by using Replicate, a third party tool used for transferring data from a wide variety of heterogeneous databases into SingleStore.
HDFS Pipelines - SingleStore uses a version of Log 4j which is not exposed to the vulnerability so this is not applicable. SingleStore uses version 1.2.17, which is not vulnerable to the exploit.
Blitzz Replicate - Replicate is not a SingleStore product, however Blitzz has confirmed they use version 1.7, which is also not vulnerable to this exploit.
SingleStore’s policy is to notify all customers within 72 hours of identifying an applicable data breach so please rest assured if we, or your data, are the victim of a data breach we will notify you promptly & respond appropriately.Should you have any further question do not hesitate to contact me directly.
Very truly yours,
Jake Leo Bernardes
Head of Information Security