Solved: log4j vulnerability (CVE-2021-44228) impact on Dat... - Page 2

sagiyokee · 12-13-2021 06:43 AM

Hello,

I've read this bulletin about the vulnerability:

https://cloud.google.com/log4j2-security-advisory?hl=en

But no info about DataFlow is available there.

I would like to know whether the DataFlow SDK (namely Apache Beam and related stack) uses a fixed log4j version (>= 2.15) or whether there are plans to do so. Also, whether they are any action items on DataFlow users' side.

We're currently using DataFlow SDK 2.34.0, its pom.xml file shows dependency on slf4j 1.7.25. I can't find any explicit log4j dependencies, but it doesn't mean the runner doesn't load these classes dynamically through slf4j via some configuration settings inside the runner...

Thanks

oakinlaja

Thank you for clarifying.

As indicated in the reference links, the vulnerability is observed specifically for versions 2.14.1 or below. So, as you are using a newer version, you should not be affected by the vulnerability.

For Apache Beam and Dataflow, based on our investigation so far they are not impacted. There are 3 reasons for that:

- For Beam versions 2.32.0 and older, Beam has no public facing dependencies on log4j. And remaining tests dependencies were removed today.
- Dataflow workers does not carry this dependency by default.

- And Dataflow VMs have a JRE version that is not impacted by this vulnerability

View solution in original post

log4j vulnerability (CVE-2021-44228) impact on DataFlow