On Friday, Dec 10, we became aware of a critical bug in the Apache Log4J2 library which is commonly used for logging purposes in many well-known products.

MZ 8.1

According to our latest analysis (2021-12-14), MZ 8.1.X is not affected by this issue.

MZ 8.2

The DataHub component relies on a Cloudera Impala connector which bundles a vulnerable version of log4j-core. This library use is localized to the DataHub component and, specifically, its data connector. Customers who do not use DataHub in their workflows are not affected.

To customers on MZ 8.2 who use the DataHub component and want to mitigate a potential attack vector, we recommend one of these two options:

• Set JVM system property log4j2.formatMsgNoLookups=true

• Set environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true on the MZ server

We will closely follow our dependencies vendors' updates and watch for any new information regarding all third-party packages we use to make sure we act upon any new information from them once it is made available.

We are working on an ER release to mitigate mentioned DataHub issue and also update the existing log4j-core to the latest maintained version on the current major that includes some security updates.

Last update: 15 Dec 2021 9.56 CET