Last updated: 16 Dec 2021 10.15 CET
Dear customer & community member,
A serious zero-day vulnerability of a popular logging library: log4j 2 has been reported (CVE-2021-44228). The Lenses team is continuously evaluating the situation.
Please find the latest information related to different Lenses products below. This page will be regularly updated.
The latest version of Lenses: 4.3.x does not contain the libraries log4j versions 2.0.x to 2.14
Log4j 1.2.17 (not associated with the vulnerability) is packaged (io.confluent:confluent-log4j:1.2.17-cp2) but is not used directly by the Lenses application.
We would recommend all customers to ensure they are running the latest version of Lenses (4.3.5)
Lenses 3.x does not contain the libraries log4j versions 2.0.x to 2.14.
Please see the following flow diagram:
For customers running Lenses 4.0.x, 4.1.x or 4.2.x log4j 2.0.x to 2.14 libraries are not available in the main Lenses product but are packaged in the Lenses SQL Processors docker/connector (https://hub.docker.com/r/lensesioextra/sql-processor).
This library is not used in our application directly but is a transitive dependency. The Lenses engineering teams have updated the SQL Processor Docker/Connectors these are now available to download. For those in Connect mode, this is available from the client area.
For all 4.0.*, 4.1.* and 4.2.* customers running SQL Processors, please see: https://docs.lenses.io/4.2/release-notes/4.2.8/
Lenses Box Docker container contains a version of Lenses packaged with Apache Kafka and an ecosystem of open-source components for development purposes only (https://lenses.io/apache-kafka-docker/)
In the latest version of the Docker container (https://hub.docker.com/r/lensesio/box) , the Lenses instance packaged does not contain the libraries log4j versions 2.0.x to 2.14. However some open-source connectors (Elasticsearch, Hive & HDFS) packaged may however include log4j versions 2.0.x to 2.14.
The Lenses team has since prepared a new release of the Lenses Box (version 4.3.5) removing all Connectors with references and dependencies to log 2.0.x to 2.14.
We recommend running the latest version of Lenses Box.
Lenses contributes to a number of open-source Apache 2.0 connectors for Kafka known as Stream Reactors (https://github.com/lensesio/stream-reactor). The following connectors were found to include log4j 2.0.x to 2.14
As of 14th Dec 2021, the Lenses team has now updated these Stream Reactor connectors to version 3.0.1 and removed all references & dependencies to log4j 2.0.x to 2.14. We would recommend all customers and community users to upgrade immediately.
See Stream Reactor 3.0.1 release notes
Download latest 3.0.1 connectors
No other open-source projects listed in https://github.com/lensesio/ have been identified as impacted by this vulnerability.