An update on some more serious news doing the rounds: a zero-day arbitrary code execution vulnerability (CVE-2021-442228 aka Log4Shell) was recently discovered affecting the Apache Log4j2 library for versions <= 2.14.1.
Mongo DB gives an overview of current status of products. But no versions are stated. We deploy MongoDB as an embedded component with another vendor’s application. We cannot determine if we are vulnerable or not.
We deploy MongoDB as an embedded component with another vendor’s application. We cannot determine if we are vulnerable or not.
The MongoDB database server does not use Java and the MongoDB Java/Scala driver (as well as Spark/Kafka connectors) use the SLF4J API for logging.
The SLF4J API can be used with log4j (see Log4j 2 SLF4J Binding), so if you are using Java you should audit your application usage as well as the vendor application you are embedded in.
If you still have concerns, please share more details about the product versions you are concerned about.
If your application is using Java you should audit any potential usage of log4j, but this dependency should not be introduced by the MongoDB Java driver.
We are using “mongo-java-driver-3.12.4” for our microservices, can you please tell us that weather this version of Java MongoDB is affected by “log4j” or not? If yes then how do we get around this issue?
To further clarify the MongoDB Java driver behaviour:
Driver versions up to 3.0.0 use Java Util Logging (JUL).
Driver versions 3.0.0+ add SLF4J API as an optional dependency per JAVA-1123. If SLF4J isn’t detected in the classpath, the driver will use JUL.
SLF4J is an API that allows developers to use any type of logger provider (JUL, Log4J, JCL, Logback, …) so you should check dependencies introduced by your application code.
There are no versions of the MongoDB Java driver using log4j by default.
Hi,
I’m currently using Mongo DB version 3.4.24 and 3.4.5; we also have Mongo DB Compass 1.23.0. Based on your article, Compass should be fine but do I have to worry about the MongoDB with 2 version above?
Appreciate any feedbacks!
MongoDB Server (implemented in C++) and MongoDB Compass (implemented in Node.js) do not use Java, so log4j is not a direct concern for these products. You should still audit any usage across other Java applications or services in your deployment.
However, MongoDB 3.4 is very outdated (first released in November 2016 and End Of Life in January 2020). I strongly recommend upgrading your 3.4.5 deployments to the final 3.4.24 version and planning an upgrade to an actively maintained release series (currently 4.0 or later).
Hi @Stennie_X,
Thank so much for your information.
Just to clarify, I’m a litter bit confused about the part: “upgrading your 3.4.5 deployments to the final 3.4.24 version”. Should 3.4.24 version be lower than 3.4.5 version?
Could you tell me the exact version that we should update to?
Thanks,
MongoDB 3.4.5 (released in June 2017) is 2 1/2 years older than 3.4.24 (the final release of the 3.4 series, in January 2020). See Release Notes for MongoDB 3.4 for more details.
Since there have been several years of bug fixes and improvements with no backward-breaking compatibility changes in minor releases, upgrading to the final 3.4.24 release would be a recommended starting point.
Ideally you should plan and test upgrading to a supported server release series (currently MongoDB 4.0 or newer) so your MongoDB software continues to get maintenance fixes including security updates.