There has been a lot of discussion around Log4j V2 due to the recently discovered security vulnerability (CVE-2021-44228).
Your usage of meshIQ products is not impacted by this vulnerability in Log4j V2. We do not log information in the way that would be required to leverage the vulnerability.
As a follow-on to this, many customers have asked about our usage of Log4j V1, since that offering is at end-of-life. As noted above, our usage of Log4j is limited to logging data from the meshIQ components and does not expose risks in usage.
However, to mitigate both of these concerns, we have defined the following plan to address our usage within the products.
- meshIQ code that does not use Log4j
- No changes are planned at this time.
- meshIQ code that uses Log4j V2
- These will be updated.
- Components superseded by newer versions will not be updated
- meshIQ code that uses Log4j V1
- We will review complete conversion in a future release as appropriate.
- In addition to meshIQ code, we also include a number of 3rd party offerings that use V1/V2.
- Where applicable, we will update to versions or configurations that support, or are patched for, V2.
- If the product supports it, we will use Log4j bridge, if required.
- If the 3rd party software only supports V1, it may be necessary to remove it or configure it to prevent specific vulnerabilities at possible loss of function.
Note that to address the specific vulnerability, there are methods to mitigate it, such as setting system property "log4j2.formatMsgNoLookups" to “true” or removing the JndiLookup class from the classpath.
Product Notes:
- Current Navigator agents for MQ (also known a APWMQ) do not use java and are not impacted by this vulnerability.
- Navigator: nsqcmkafka.jar and nsqcmace.jar in version 10.3.0 and above use Log4j V2, nsqcmems.jar and other components updated to V2 in 10.4.x. An alternate GUI for apodwsm is included with 10.4.x, navxwsm, and as such it will not be updated to log4j V2 but can be removed once navxwsm is in use. Apodwmq is no longer supported and can be removed.
- XRay 1.5: Solr 8 and Storm provided can use the latest versions of Log4j V2 (manual update required). Kafka, zookeeper, Siddhi CEP and ActiveMQ used by XRay still include log4j v1. meshIQ products still support Java 8, thus these versions are included since the latest versions require Java 11. meshIQ raised the minimum level to Java 11 as of Q4 2022 and the major updates will incorporate later versions which address Log4j v1 usage. Currently, customers running Java 11 can provide their own versions as alternatives to the meshIQ distribution. Customer deployed versions do not fall under the meshIQ support policy but we will make best effort to assist.
- XRay Express/tnt4j-streams (all): Updated to use log4jV2 and supports Log4j bridge for 3rd party components.
- No meshIQ components using log4j V1 are configured to use the JMS appender
- The AutoPilot engine has been updated to use log4j V2 with Service Update 33.
- meshIQ components which use AutoPilot for logging that have dependencies have also been updated, including Navigator 10.4.1 and higher, XRay 1.4.1 and higher, Scheduler 0.1.15 and higher as well as several other related experts.
- For more details, see AutoPilot M6 release notes: service update 33