Skip to main content

Log4j (Log4shell) CVE-2021-44228

· 2 min read

On December 10th, 2021 researchers published details of an exploit affecting the popular Java logging library Log4j (CVE-2021-44228). The vulnerability in question exploited a feature (Lookups) introduced into v2.x that would allow for malicious messages logged via the system to be interpreted, ultimately allowing the execution of arbitrary code.

The Meroxa Data Platform is largely built on Go (Golang) and as such exposure to this CVE is very limited. Specifically Java (and therefore Log4j) is only used by Apache Kafka and the various Apache Kafka ecosystem components deployed on the platform.

In the case of Apache Kafka and Apache Kafka Connect, both use Log4j-v1.2.17 which is not affected by the recently disclosed vulnerability. You can find more details on the Apache Kafka website (CVE list).

Kafka Connect Connectors however can utilize different versions of the Log4j library. As such we have audited all connectors currently supported on the platform and have deployed updated (remediated) versions. Specifically we have upgraded to versions using Log4j v2.16.0 which removes the feature entirely that introduced the vulnerability.

Additionally we have audited our configurations to confirm that no user generated data is logged via any supported connectors further limiting the ability for this vulnerability to be exploited on the Meroxa Data Platform.

We will of course continue to monitor developments related to the CVE and will take any actions necessary to ensure the security of our platform.

Azure CosmosDB Connector Public Beta

· One min read

Azure Cosmos DB is now available in Public Beta as a Source Connector on Meroxa. This means you can start provisioning Cosmos DB via the Meroxa Dashboard or CLI:

$ meroxa resources create sourcedb --type cosmosdb --url cosmosdb://$COSMOS_ACCOUNT_NAME:$COSMOS_PRIMARY_KEY@$COSMOS_ACCOUNT_NAME.documents.azure.com:443/$COSMOS_DATABASE

For any questions or comments, please feel free to email us at support@meroxa.io or reach out to us on Twitter

New CLI `--no-headers` option

· One min read
@_raulb_
Developer

With Meroxa CLI version v1.2.0, we're adding the --no-headers option to any command that lists a Meroxa Platform resource.

This option is useful when performing scripting operations that depends on a specific number.

Microsoft SQL Server Connector Beta

· One min read
@misosoup
Product

Starting today, a public beta of the Microsoft SQL Server connector is available to all customers. The connector can be used as a source. Microsoft SQL Server resources can be provisioned in the typical manner in the dashboard or via the CLI:

$ meroxa resources create sourcedb --type sqlserver -u sqlserver://username:password@hostname:1433/dbname

For more information on the Microsoft SQL Server connector, please see the documentation (source). For any questions or comments, please feel free to email us at support@meroxa.io.

Meroxa Terraform Provider

· One min read

A new Terraform Provider for Meroxa is available to all customers. The provider will enable you to provision, modify and destroy various objects on the Meroxa platform as code. This should make activities like rolling database credentials on the Meroxa Platform an automated process.

For more information, see the Meroxa Documentation on how to get started, or the provider on the Terraform Registry. For any questions or comments, please feel free to email us at support@meroxa.io or open an issue in our GitHub repo.