A critical security vulnerability CVE-2021-44228 has been identified in the popular “Apache Log4j 2” library (2.x <= 2.15.0-rc1). This has raised concerns among many dCache admins, who have contacted us either directly or by sending a message to
securityԹdcache.org. Thanks for that!
Log4j in dCache
logback as the default logging solution and does not distribute the Log4j library with officially released packages. It is therefore not affected.
Log4j in ZooKeeper and Kafka
Like many Java based projects, ZooKeeper and Apache Kafka use Log4j as their logging library. However, they both depend on
log4j-1.2.x, which is not
vulnerable to this CVE.
Log4j in the dCache project infrastructure
We are currently checking the entire dCache project infrastructure for the presence of vulnerable versions of the Log4j library. This work is ongoing.