CVE-2021-44228 Updates

Last updated: 16 Dec 2021 10.15 CET


Dear customer & community member,

A serious zero-day vulnerability of a popular logging library: log4j 2 has been reported (CVE-2021-44228). The Lenses team is continuously evaluating the situation.


Please find the latest information related to different Lenses products below. This page will be regularly updated.


For any immediate questions please contact support at support@lenses.io or speak to us directly via the Lenses Community Slack channel: https://launchpass.com/lensesio



Lenses
Last updated: 16 Dec 2021 10.15 CET

The latest version of Lenses: 4.3.x does not contain the libraries log4j versions 2.0.x to 2.14

Log4j 1.2.17 (not associated with the vulnerability) is packaged (io.confluent:confluent-log4j:1.2.17-cp2) but is not used directly by the Lenses application.

We would recommend all customers to ensure they are running the latest version of Lenses (4.3.5)

Lenses 3.x does not contain the libraries log4j versions 2.0.x to 2.14.

Please see the following flow diagram:

log4j


For customers running Lenses 4.0.x, 4.1.x or 4.2.x log4j 2.0.x to 2.14 libraries are not available in the main Lenses product but are packaged in the Lenses SQL Processors docker/connector (https://hub.docker.com/r/lensesioextra/sql-processor).

This library is not used in our application directly but is a transitive dependency. The Lenses engineering teams have updated the SQL Processor Docker/Connectors these are now available to download. For those in Connect mode, this is available from the client area.

For all 4.0.*, 4.1.* and 4.2.* customers running SQL Processors, please see: https://docs.lenses.io/4.2/release-notes/4.2.8/



Lenses Box
Last updated: 15 Dec 2021 19.30 CET

Lenses Box Docker container contains a version of Lenses packaged with Apache Kafka and an ecosystem of open-source components for development purposes only (https://lenses.io/apache-kafka-docker/)

In the latest version of the Docker container (https://hub.docker.com/r/lensesio/box) , the Lenses instance packaged does not contain the libraries log4j versions 2.0.x to 2.14. However some open-source connectors (Elasticsearch, Hive & HDFS) packaged may however include log4j versions 2.0.x to 2.14.

The Lenses team has since prepared a new release of the Lenses Box (version 4.3.5) removing all Connectors with references and dependencies to log 2.0.x to 2.14.

We recommend running the latest version of Lenses Box.



Open Source Projects
Last updated: 14 Dec 2021 09.30 CET

Lenses contributes to a number of open-source Apache 2.0 connectors for Kafka known as Stream Reactors (https://github.com/lensesio/stream-reactor). The following connectors were found to include log4j 2.0.x to 2.14


As of 14th Dec 2021, the Lenses team has now updated these Stream Reactor connectors to version 3.0.1 and removed all references & dependencies to log4j 2.0.x to 2.14. We would recommend all customers and community users to upgrade immediately.

See Stream Reactor 3.0.1 release notes

Download latest 3.0.1 connectors


No other open-source projects listed in https://github.com/lensesio/ have been identified as impacted by this vulnerability.