sd-agent and Log4J2

Two vulnerabilities (CVE-2021-45046 and CVE-2021-44228) have recently been identified in the Apache Log4J2 logging libraries.

The majority of sd-agent is written in Python, however, it is possible to collect JVM/JMX metrics via the sd-agent-jmx package which utilises Java and the Log4J2 library. We recommend you review this whole document to understand the impact. 

Impact

Debian/Ubuntu OS's (.deb)

sd-agent < 2.2.0

All sd-agent versions below 2.2.0 are affected and we recommend you update sd-agent immediately.

sd-agent-jmx <= 2.2.8

The sd-agent-jmx package version 2.2.8 and below is affected. The sd-agent-jmx package is a dependency of the following plugins:

  • sd-agent-activemq
  • sd-agent-cassandra
  • sd-agent-kafka
  • sd-agent-solr
  • sd-agent-tomcat

This means that if you have any of the above packages installed the sd-agent-jmx package will have also been installed automatically too. We recommend you update sd-agent and all related packages immediately.

CentOS/RHEL/RHEL Derivative OS's (.rpm)

sd-agent <= 2.2.8 & sd-agent-jmx <= 2.2.8

Due to a packaging error, the jmxfetch jar was included in the sd-agent package. This has been resolved in 2.2.9 and updating to >=2.2.9 will remove the jmxfetch jar file from your system if you do not have sd-agent-jmx installed.

The sd-agent-jmx package is a dependency of the following plugins:

  • sd-agent-activemq
  • sd-agent-cassandra
  • sd-agent-kafka
  • sd-agent-solr
  • sd-agent-tomcat

This means that if you have any of the above packages installed the sd-agent-jmx package will have also been installed automatically too. We recommend you update sd-agent and all related packages immediately.

Resolution

We have released agent version 2.2.10 which updates the sd-agent-jmx package to remove the use of Log4J2 which mitigates both CVE-2021-45046 and CVE-2021-44228. sd-agent version 2.2.9 and above also resolves the packaging error for el/rpm packages and will automatically remove the affected jmxfetch jar if sd-agent-jmx is not installed. 

Action

We strongly suggest that all customers with sd-agent installed update immediately to sd-agent version 2.2.10. This can be completed via your package manager. If you have any issues updating please contact support via hello@serverdensity.com

EoL/Legacy OS's

Server Density maintains older repositories for EoL/Legacy Operating Systems but no longer provides sd-agent updates for them. This means that updates for sd-agent-jmx for the following OS's are not available: 

  • CentOS/RHEL 6 (Including derivatives)
  • Debian Wheezy (7)
  • Ubuntu Trusty (14) 
  • Ubuntu Precise (12)

If you are still using these OS's and are unable to upgrade please contact support via hello@serverdensity.com for further assistance.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Monday  —  Friday.

10am  —  6pm UK.

Dedicated Support.