Camunda is aware of the Log4j security vulnerability that is currently being covered prominently in the press (e.g. Hacker News), specifically CVE-2021-44228.
Below you can find the current state of our assessment and response to this vulnerability. We are updating this statement as we learn more and release patches.
Camunda recommends all users and customers to
-
Verify whether affected versions of log4j are used in their own application code
-
Verify any additional Java-based components they are running in combination with Camunda such as application servers or elasticsearch distributions
For Camunda Platform 7 Users & Customers
Camunda Engine, Cockpit, Tasklist & RPA Bridge
Camunda Platform distributions (like WildFly, Tomcat, and Run) do not contain the vulnerable log4j-core artifact. Some distributions contain the log4j-api or log4j-to-slf4j bridge, which are not vulnerable without the log4j-core artifacts.
Camunda has released version 7.17.0-alpha2 which updates to Log4J 2.15.0. Camunda has released 7.16.3, 7.15.9, and 7.14.15 on Fri Dec 17 which updates to Log4J 2.16.0.
Camunda has released 7.14.16; 7.15.10; 7.16.4; RPA Bridge 1.1.4 on Wed Dec 23 which updates to Log4J 2.17.0 and logback 1.2.9.
Camunda plans to release version 7.17.0-alpha3 on Tue Jan 11 2022 which contains all of these fixes.
Optimize
Camunda Optimize production and docker distributions do not contain the vulnerable log4j-core artifact. Camunda Optimize production and docker distributions contain the log4j-api or log4j-to-slf4j bridge artifacts, which are not vulnerable without the log4j-core artifacts.
The Optimize demo distribution <3.6.5 bundles Elasticsearch 7.10.0. Elastic states that 7.8+ releases used with recent JDK9+ releases are not susceptible to remote code execution or information leakage.
Camunda has released Optimize 3.6.5 on Tue Dec 21 with updated Log4J 2.17.0 artifacts, as well as an updated bundled Elasticsearch 7.16.2 in the demo distribution.
Please note that Optimize 3.6.x is known to not support the Elasticseach 7.16.0 and 7.16.1 releases, due to a regression Elastic introduced with the 7.16.0 release.
Optimize 3.6.5 is verified to be compatible with the recent Elasticsearch 7.16.2 release which contains a fix for the regression introduced in 7.16.2, we thus recommend using the Elasticsearch 7.16.2 release.
Cawemo
Cawemo does not contain the vulnerable log4j-core artifact. It does bundle the log4j-api and log4j-to-slf4j bridge, which are not vulnerable without the log4j-core artifact.
Camunda has released Cawemo 1.8.3 on Wednesday Dec 15 which updates to Log4J 2.16.0.
Cawemo On-Premise depends on the IAM component so please make sure you also pull the newly released 1.1.10 IAM images.
Update 21.12.21:
Camunda has released Cawemo 1.8.4 on Tuesday Dec 21 which updates to Log4J 2.17.0 and logback 1.2.9.
Cawemo On-Premise depends on the IAM component so please make sure you also pull the newly released 1.1.11 IAM images.
For Camunda Cloud Users & Customers
Zeebe
Zeebe does contain the vulnerable log4j-core artifact. At this point, Camunda is not aware of any specific attack vector in Zeebe.
Camunda has released Camunda Cloud 1.1.7, 1.2.6 and 1.3.0-alpha3 on Tue Dec 14 updating to Log4J versions 2.15.0 and recommends an update to these versions. See Camunda Cloud Security Notices.
Camunda has released Camunda Cloud 1.1.8 and 1.2.7 on Friday Dec 17 updating to Log4J version 2.16.0. See Camunda Cloud Security Notices.
Camunda has released Camunda Cloud 1.1.9 and 1.2.8 on Wednesday Dec 22 updating to Log4J version 2.17.0. See Camunda Cloud Security Notices.
Camunda has released Camunda Cloud 1.1.10 and 1.2.9 on Friday Dec 31 updating to Log4J version 2.17.1. See Camunda Cloud Security Notices.
Operate & Cloud Tasklist
Operate & Cloud Tasklist do contain the vulnerable log4j-core artifact. At this point, Camunda is not aware of any specific attack vector in Operate or Tasklist.
Further, Operate and Cloud Tasklist also rely on elasticsearch. Elastic has released elasticsearch 7.16.1 and recommends updating to this version or setting the system property -Dlog4j2.formatMsgNoLookups=true
. Camunda advises customers set this property until a version of Operate & Cloud Tasklist supporting elasticsearch 7.16.1 is available
Camunda has released Camunda Cloud 1.1.7, 1.2.6 and 1.3.0-alpha3 on Tue Dec 14 updating to Log4J versions 2.15.0 and recommends an update to these versions. See Camunda Cloud Security Notices.
Camunda has released Camunda Cloud 1.1.8 and 1.2.7 on Friday Dec 17 updating to Log4J version 2.16.0 and Elasticsearch 7.16.1.See Camunda Cloud Security Notices.
Camunda has released Camunda Cloud 1.1.9 and 1.2.8 on Wednesday Dec 22 updating to Log4J version 2.17.0 and Elasticsearch 7.16.2.See Camunda Cloud Security Notices.
Camunda has released Camunda Cloud 1.1.10 and 1.2.9 on Friday Dec 31 updating to Log4J version 2.17.1.See Camunda Cloud Security Notices.
IAM
IAM does not contain the vulnerable log4j-core artifact. It does bundle the log4j-api and log4j-to-slf4j bridge, which are not vulnerable without the log4j-core artifact.
Camunda has released IAM 1.1.9 and 1.2.6 on Tue Dec 14 which updates to Log4J versions 2.15.0 and recommends updating to this version. See Camunda Cloud Security Notices.
Camunda released IAM 1.1.10 and 1.2.7 on Friday Dec 17 updating to Log4J version 2.16.0 and logback 1.2.8. See Camunda Cloud Security Notices.
Camunda released IAM 1.1.11 and 1.2.8 on Wednesday Dec 22 updating to Log4J version 2.17.0 and logback 1.2.9. See Camunda Cloud Security Notices.
Camunda released IAM 1.1.12 and 1.2.9 on Friday Dec 31 updating to Log4J version 2.17.1. See Camunda Cloud Security Notices.