Two vulnerabilities (CVE-2021-45046 and CVE-2021-44228) have recently been identified in the Apache Log4J2 logging libraries.
The majority of sd-agent is written in Python, however, it is possible to collect JVM/JMX metrics via the sd-agent-jmx package which utilises Java and the Log4J2 library. We recommend you review this whole document to understand the impact.
Impact
Debian/Ubuntu OS's (.deb)
sd-agent < 2.2.0
All sd-agent versions below 2.2.0 are affected and we recommend you update sd-agent immediately.
sd-agent-jmx <= 2.2.8
The sd-agent-jmx package version 2.2.8 and below is affected. The sd-agent-jmx package is a dependency of the following plugins:
- sd-agent-activemq
- sd-agent-cassandra
- sd-agent-kafka
- sd-agent-solr
- sd-agent-tomcat
This means that if you have any of the above packages installed the sd-agent-jmx package will have also been installed automatically too. We recommend you update sd-agent and all related packages immediately.
CentOS/RHEL/RHEL Derivative OS's (.rpm)
sd-agent <= 2.2.8 & sd-agent-jmx <= 2.2.8
Due to a packaging error, the jmxfetch jar was included in the sd-agent package. This has been resolved in 2.2.9 and updating to >=2.2.9 will remove the jmxfetch jar file from your system if you do not have sd-agent-jmx installed.
The sd-agent-jmx package is a dependency of the following plugins:
- sd-agent-activemq
- sd-agent-cassandra
- sd-agent-kafka
- sd-agent-solr
- sd-agent-tomcat
This means that if you have any of the above packages installed the sd-agent-jmx package will have also been installed automatically too. We recommend you update sd-agent and all related packages immediately.
Resolution
We have released agent version 2.2.10 which updates the sd-agent-jmx package to remove the use of Log4J2 which mitigates both CVE-2021-45046 and CVE-2021-44228. sd-agent version 2.2.9 and above also resolves the packaging error for el/rpm packages and will automatically remove the affected jmxfetch jar if sd-agent-jmx is not installed.
Action
We strongly suggest that all customers with sd-agent installed update immediately to sd-agent version 2.2.10. This can be completed via your package manager. If you have any issues updating please contact support via hello@serverdensity.com
EoL/Legacy OS's
Server Density maintains older repositories for EoL/Legacy Operating Systems but no longer provides sd-agent updates for them. This means that updates for sd-agent-jmx for the following OS's are not available:
- CentOS/RHEL 6 (Including derivatives)
- Debian Wheezy (7)
- Ubuntu Trusty (14)
- Ubuntu Precise (12)
If you are still using these OS's and are unable to upgrade please contact support via hello@serverdensity.com for further assistance.
Comments