On December 10th, 2021 researchers published details of an exploit affecting the popular Java logging library Log4j (CVE-2021-44228). The vulnerability in question exploited a feature (Lookups) introduced into v2.x that would allow for malicious messages logged via the system to be interpreted, ultimately allowing the execution of arbitrary code.
The Meroxa Data Platform is largely built on Go (Golang) and as such exposure to this CVE is very limited. Specifically Java (and therefore Log4j) is only used by Apache Kafka and the various Apache Kafka ecosystem components deployed on the platform.
In the case of Apache Kafka and Apache Kafka Connect, both use Log4j-v1.2.17 which is not affected by the recently disclosed vulnerability. You can find more details on the Apache Kafka website (CVE list).
Kafka Connect Connectors however can utilize different versions of the Log4j library. As such we have audited all connectors currently supported on the platform and have deployed updated (remediated) versions. Specifically we have upgraded to versions using Log4j v2.16.0 which removes the feature entirely that introduced the vulnerability.
Additionally we have audited our configurations to confirm that no user generated data is logged via any supported connectors further limiting the ability for this vulnerability to be exploited on the Meroxa Data Platform.
We will of course continue to monitor developments related to the CVE and will take any actions necessary to ensure the security of our platform.