TL,DR: Debezium is NOT affected by the recently disclosed remote code execution vulnerability in log4j2 (CVE-2021-44228); The log4j-1.2.17.jar shipped in Debezium’s container images contains a class JMSAppender, which is subject to a MODERATE vulnerability (CVE-2021-4104). This appender is NOT used by default, i.e. access to log4j’s configuration is required in order to exploit this CVE. As a measure of caution, we have decided to remove the JMSAppender class from Debezium’s container images as of version 1.7.2.Final, released today.

On Dec 10th, a remote code execution vulnerability in the widely used log4j2 library was published (CVE-2021-44228). Debezium, just like Apache Kafka and Kafka Connect, does not use log4j2 and therefore is NOT affected by this CVE.

Apache Kafka, Kafka Connect and Apache ZooKeeper do use log4j 1.x though, which therefore is shipped as part of Debezium’s container images for these components. On Dec 13th, a MODERATE vulnerability in log4j 1.x was published (CVE-2021-4104), affecting the JMSAppender class coming with log4j 1.x. This vulnerability "allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker’s JMS Broker".

This appender is NOT used by default, i.e. "this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker’s JMS Broker". If you are using JMSAppender, you should verify and ensure that you are using trustworthy configuration values for its TopicBindingName and TopicConnectionFactoryBindingName settings.

Using a JMS-based appender should only very rarely occur in the context of Apache Kafka, if at all. As a measure of caution, we have therefore decided to remove the JMSAppender class from the log4j-1.2.17.jar JAR contained in Debezium’s container images for Apache Kafka, Kafka Connect, and Apache ZooKeeper. At the same time, we are also removing the SocketServer class from the log4j-1.2.17.jar, which is subject to another, unrelated CVE (CVE-2019-17571). This is a separate main class, not used in any way by Debezium, Kafka, Kafka Connect, or ZooKeeper, but we decided to not ship it any longer, thus making the Debezium container images not subject to this CVE either.

Note that if you are running the Debezium connectors via other distributions of Apache Kafka and related components, the JMSAppender and SocketServer classes may be present in their log4j-1.2.17.jar, and you thus should make sure to either not use them at all, or only use them in safe way. Access to log4j’s configuration should be secured in an appropriate way.

Other distributables of Debezium, such as the individual connector archives, or the Debezium Server distribution, do not contain log4j-1.2.17.jar and thus are NOT subject to the mentioned CVEs in any way.

The removal of the JMSAppender and SocketServer classes from the log4j-1.2.17.jar shipped with Debezium’s container images is effective as of Debezium 1.7.2.Final, which was released earlier today. We recommend to update to this version to all users.

If you have any questions around this topic, please join the discussion on this thread on the Debezium mailling list. If you have any other security-related concerns around Debezium, please do NOT publicly discuss them, but file a Jira issue with limited visibility in our bug tracker, and we will follow up with you on this as quickly as possible.

Gunnar Morling

Gunnar is a software engineer at Decodable and an open-source enthusiast by heart. He has been the project lead of Debezium over many years. Gunnar has created open-source projects like kcctl, JfrUnit, and MapStruct, and is the spec lead for Bean Validation 2.0 (JSR 380). He’s based in Hamburg, Germany.

   


About Debezium

Debezium is an open source distributed platform that turns your existing databases into event streams, so applications can see and respond almost instantly to each committed row-level change in the databases. Debezium is built on top of Kafka and provides Kafka Connect compatible connectors that monitor specific database management systems. Debezium records the history of data changes in Kafka logs, so your application can be stopped and restarted at any time and can easily consume all of the events it missed while it was not running, ensuring that all events are processed correctly and completely. Debezium is open source under the Apache License, Version 2.0.

Get involved

We hope you find Debezium interesting and useful, and want to give it a try. Follow us on Twitter @debezium, chat with us on Zulip, or join our mailing list to talk with the community. All of the code is open source on GitHub, so build the code locally and help us improve ours existing connectors and add even more connectors. If you find problems or have ideas how we can improve Debezium, please let us know or log an issue.