Security advisory for Log4Shell #

Initial publication date: 16th of December 2021
Latest update: 18th of January 2022

The Apache log4j project is widely used in the Java ecosystem. The reported vulnerability known as Log4Shell, filed as CVE-2021-44228 and CVE-2021-45046, potentially affects Starburst products.

This document collects all relevant details for our customers and users.

Summary #

No exploits are known, and new release artifacts remove the dependency to make any future exploits impossible.

Trino #

Open source Trino is not affected. Specifically Trino does not use log4j for logging, or any other purposes. The potential exploits therefore do not apply since no log4j code is ever executed.

Out of an abundance of caution and due diligence, Starburst and the Trino maintainers collaborated on removal of the inactive log4j JAR from any binaries.

The removal is part of the Trino 366 release.

Starburst Galaxy #

Starburst Galaxy is not affected, since it only uses trimmed container images. These images have been analyzed and do not include any log4j artifacts.

Starburst Enterprise #

Starburst Enterprise platform (SEP) is comprised of Trino and numerous extensions, including additional connectors and security related plugins.

Core #

Similar to Trino, SEP is not affected, and a removal of the inactive log4j JAR files found is completed.

Delta Lake connector #

The log4j JAR was found as a transitive dependency included with the Delta Lake connector. Like in the core, the JAR and log4j code is not used, but available on the isolated classpath of the connector. A removal of the inactive log4j JAR file is completed.

Ranger client plugin #

The JAR was found in a shaded library used by the Ranger client plugin. Like in the core, the log4j code is not used, but available on the isolated classpath of the plugin. A removal of the inactive log4j classfiles in the shaded library is completed.

Apache Ranger container #

The Kubernetes support for SEP includes a Helm chart for Apache Ranger. Starburst created a patch for the used container image running the Ranger Admin server and user interface. It upgrades the log4j to the unaffected new release 2.16.0.

Starburst also notified the upstream Apache project.

Hive Metastore Service container #

The Kubernetes support for SEP includes a Helm chart for a Hive Metastore Service (HMS). Starburst created a patch for the used container image. It upgrades the log4j to the unaffected new release 2.16.0.

Starburst also notified the upstream Apache project.

LTS backport releases #

The following LTS backport releases from the 17th of December 2021 include all the measures:

We suggest customers to update to these patch releases at their earliest convenience.

365-e STS release #

The available 365-e STS release includes the removal of the dependency from the Ranger and HMS containers.

Future STS releases #

The available 367-e STS release includes all measures. It also includes updates to log4j 2.17.1 in the Hive Metastore Service container and 2.17.0 in the Apache Ranger container to mitigate CVE-2021-45105.

The 368-e STS release updates log4j in the Apache Ranger container to 2.17.1.

Any future STS releases will include all these measures.

Future LTS releases #

Future LTS releases and LTS backport releases will include all measures, including the updates to log4j 2.17.1 in the Hive Metastore Service and Apache Ranger containers to mitigate CVE-2021-45105.