CVE-2021-44228 Log4J Vulnerability and ClickHouse

Update #1 added 14 Dec 1100 GMT to qualify Log4J 1.2 vulnerability. See below.

Update #2 added 16 Dec 1800 GMT to follow up on Altinity.Cloud vulnerability assessment.

A number of users have asked us whether ClickHouse or Altinity products are subject to Log4Shell Log4J vulnerability (CVE-2021-44228). Log4J is a logging library that is widely used in Java to print service messages to logs. The vulnerability enables remote exploits against Java programs using Apache Log4J Version 2.0 through 2.14.1. It is classified as critical.

Summary: ClickHouse and Altinity products are not subject to CVE-2021-44228 based on knowledge available today. 

Important! If you run any Java applications, you should check whether they have the affected Log4J library version. Check here for advice to detect and remediate the problem. 

1. ClickHouse Java-based services and libraries are not directly affected because they use older Log4J 1.2 libraries.

  • Zookeeper — Uses Log4J version 1.2 hence is not affected. See ZOOKEEPER-4423 for analysis. 
  • ClickHouse JDBC Driver — Uses SLF4J12 facade for logging. This library is designed to work with Log4j version 1.2, which is not affected. The Maven build pulls down Log4J version 1.2 during the build but does not deploy it. We therefore conclude that the JDBC driver is not directly vulnerable and have logged Issue 779 to confirm. Check the issue for further information. Also, you should still check Java applications as described above, since other libraries may use Log4J Version 2.  

(Update #1) Log4J 1.2 has a separate vulnerability CVE-2021-009, rated moderate, which affects applications where an attacker write access to the file and/or a specific configuration of JMSAppender is used. The above services do not configure JMSAppender.

2. ClickHouse itself and other services are unaffected because they do not use Java. 

(Update #2) We have identified a possible use of Java in an underlying service for Altinity.Cloud log storage. We are investigating this and will report findings. Altinity.Cloud users will see a notification in the console.

We will continue to monitor CVE–2021-44228 and will provide updates if we learn of additional concerns.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.