Update on Log4Shell Vulnerability (CVE-2021-44228)

Greetings, everyone!

An update on some more serious news doing the rounds: a zero-day arbitrary code execution vulnerability (CVE-2021-442228 aka Log4Shell) was recently discovered affecting the Apache Log4j2 library for versions <= 2.14.1.

For updates from MongoDB’s security team in relation to MongoDB’s products and services, please see Log4Shell Vulnerability (CVE-2021-44228) and MongoDB.

If you are a MongoDB Commercial Support subscriber and have questions related to your deployments, please open a support case.

Related Resources

If you have questions or suggested resources that aren’t covered by the above information, please feel free to discuss in the comments.

Regards,
Stennie

2 Likes

Mongo DB gives an overview of current status of products. But no versions are stated. We deploy MongoDB as an embedded component with another vendor’s application. We cannot determine if we are vulnerable or not.

Welcome to the MongoDB Community Forums @Andre_Hoekstra !

We deploy MongoDB as an embedded component with another vendor’s application. We cannot determine if we are vulnerable or not.

The MongoDB database server does not use Java and the MongoDB Java/Scala driver (as well as Spark/Kafka connectors) use the SLF4J API for logging.

The SLF4J API can be used with log4j (see Log4j 2 SLF4J Binding), so if you are using Java you should audit your application usage as well as the vendor application you are embedded in.

If you still have concerns, please share more details about the product versions you are concerned about.

Regards,
Stennie

Hello,

we are using MongoClient from mongo-java-driver-3.4.3.jar. If I am not mistaken, MongoClient uses log4j. could you tell me if we are vulnerable?

Best regards,
Addisalem

Welcome to the MongoDB Community Forums @Addisalem_Shiferaw !

As far as I’m aware, the MongoDB Java driver has not used log4j as a dependency.

The 3.4.3 Java driver (released in July 2017) has an optional logging dependency on SLF4J API 1.7.6:

If your application is using Java you should audit any potential usage of log4j, but this dependency should not be introduced by the MongoDB Java driver.

Regards,
Stennie

Hey @Stennie

We are using “mongo-java-driver-3.12.4” for our microservices, can you please tell us that weather this version of Java MongoDB is affected by “log4j” or not? If yes then how do we get around this issue?

Regards,
Kaushik Das

Hi @Kaushik_Das,

The 3.12.4 Java driver uses SLF4J API 1.7.6 as an optional logging dependency:

To further clarify the MongoDB Java driver behaviour:

  • Driver versions up to 3.0.0 use Java Util Logging (JUL).

  • Driver versions 3.0.0+ add SLF4J API as an optional dependency per JAVA-1123. If SLF4J isn’t detected in the classpath, the driver will use JUL.

  • SLF4J is an API that allows developers to use any type of logger provider (JUL, Log4J, JCL, Logback, …) so you should check dependencies introduced by your application code.

  • There are no versions of the MongoDB Java driver using log4j by default.

Regards,
Stennie

A post was split to a new topic: Does javascriptProtection:false impose any risk?

Hi,
I’m currently using Mongo DB version 3.4.24 and 3.4.5; we also have Mongo DB Compass 1.23.0. Based on your article, Compass should be fine but do I have to worry about the MongoDB with 2 version above?
Appreciate any feedbacks!

Hi @huy_mai,

MongoDB Server (implemented in C++) and MongoDB Compass (implemented in Node.js) do not use Java, so log4j is not a direct concern for these products. You should still audit any usage across other Java applications or services in your deployment.

However, MongoDB 3.4 is very outdated (first released in November 2016 and End Of Life in January 2020). I strongly recommend upgrading your 3.4.5 deployments to the final 3.4.24 version and planning an upgrade to an actively maintained release series (currently 4.0 or later).

Regards,
Stennie

1 Like

Hi @Stennie,
Thank so much for your information.
Just to clarify, I’m a litter bit confused about the part: “upgrading your 3.4.5 deployments to the final 3.4.24 version”. Should 3.4.24 version be lower than 3.4.5 version?
Could you tell me the exact version that we should update to?
Thanks,

Hi @huy_mai,

MongoDB 3.4.5 (released in June 2017) is 2 1/2 years older than 3.4.24 (the final release of the 3.4 series, in January 2020). See Release Notes for MongoDB 3.4 for more details.

Since there have been several years of bug fixes and improvements with no backward-breaking compatibility changes in minor releases, upgrading to the final 3.4.24 release would be a recommended starting point.

Ideally you should plan and test upgrading to a supported server release series (currently MongoDB 4.0 or newer) so your MongoDB software continues to get maintenance fixes including security updates.

Regards,
Stennie