Vulnerabilities in Airbyte | Apache Log4j

[Nasser506]

We have Vulnerabilities in Airbyte in Apache Log4j ( CVE-2021-4104) and how to close this Vulnerabilities .
-Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104)
-Apache Log4j 1.x Multiple Vulnerabilities
-Apache Log4j SEoL (<= 1.x)

Airbyte version : 0.59.0
deploy with Docker
Server : RHEL 8

[marcosmarxm]

@wennergr can you check this and if the depedency was updated in latest version?

[Nasser506]

Dear @marcosmarxm ,

Do you have any updates? Does the latest Airbyte version include the new version of Apache Log4j?

more details :
Plugin Output:
Path : /var/lib/docker/overlay2/XXXXX/diff/airbyte/lib/log4j-1.2.17.jar
Installed version : 1.2.17
Fixed version : 2.16.0

Path : /var/lib/docker/overlay2/XXXXX/diff/airbyte/lib/log4j-1.2.17.jar
Installed version : 1.2.17
Fixed version : 2.16.0

[wennergr]

Hey @Nasser506,

thank you for the report. We are looking into resolving the issue.

Were you able to use the log4j vulnerability to compromise confidentiality, integrity, or availability?

[Nasser506]

Hi @wennergr ,

Our cybersecurity team discovered the Log4j vulnerability using Tenable tools during our routine security assessments. We did not use the vulnerability to compromise confidentiality, integrity, or availability.

Upon discovery, we promptly took action to mitigate the risk. We continue to monitor our systems closely to ensure the ongoing security and integrity of our data and services.

If you require further details or have additional questions, please feel free to reach out.

[Nasser506]

Dear @marcosmarxm ,

Do you have any updates? Does the latest Airbyte version include the new version of Apache Log4j?

[wennergr]

Hey @Nasser506,

The log4j vulnerability you reference was in the destination-s3 connector, which has since been patched (version 0.6.4 in dockerhub).

Log4j was imported as a transitive dependency from a library that was not in use, so the vulnerability did not affect us.