Security Patch 3.1.9.2 (Log4j2 CVE-2021-44228)

This article describes the changes of the version 3.1.9.2 security patch.

Learn how to update KaDeck Web

Update 3.1.9.2 is a security patch that increments the version number of log4j2 to 2.15 (fix for CVE-2021-44228 vulnerability).

This update is strongly recommended to all users.

Log4j2 CVE-2021-44228

A few hours ago, a 0-day exploit was discovered in the popular Java logging library log4j (version 2) that allows remote code execution (RCE) by logging a specific string (similar to SQL injections).

The vulnerability occurs in older Java versions ("JNDI Remote Class Loading") and depends on whether user input is logged directly (e.g., user agent, domain paths, etc.).

KaDeck Web uses Log4j2 and is therefore potentially affected by this vulnerability. However, since our KaDeck Web image does not use an affected Java version and no user input is logged directly, we could not find any way to exploit this vulnerability in KaDeck Web 3.1.9 so far. We, therefore, classify the risk for our customers as LOW.

We have nevertheless immediately rolled out an update, which is strongly recommended to all users, increasing the version of Log4J2 to 2.15, which includes the patch for the vulnerability.

Please update your KaDeck Web installation to 3.1.9.2 immediately to be on the safe side.

Is the Apache Kafka ecosystem affected by Log4j2 CVE-2021-44228?

We have also scanned the Apache Kafka ecosystem (Apache Kafka, Kafka Connect, Schema Registry, Rest Proxy, and KSQL) for the vulnerability and could not detect any vulnerability. This assessment is consistent with other sources.