An update on some more serious news doing the rounds: a zero-day arbitrary code execution vulnerability (CVE-2021-442228 aka Log4Shell) was recently discovered affecting the Apache Log4j2 library for versions <= 2.14.1.
Mongo DB gives an overview of current status of products. But no versions are stated. We deploy MongoDB as an embedded component with another vendor’s application. We cannot determine if we are vulnerable or not.
We are using “mongo-java-driver-3.12.4” for our microservices, can you please tell us that weather this version of Java MongoDB is affected by “log4j” or not? If yes then how do we get around this issue?
I’m currently using Mongo DB version 3.4.24 and 3.4.5; we also have Mongo DB Compass 1.23.0. Based on your article, Compass should be fine but do I have to worry about the MongoDB with 2 version above?
Appreciate any feedbacks!
MongoDB Server (implemented in C++) and MongoDB Compass (implemented in Node.js) do not use Java, so log4j is not a direct concern for these products. You should still audit any usage across other Java applications or services in your deployment.
However, MongoDB 3.4 is very outdated (first released in November 2016 and End Of Life in January 2020). I strongly recommend upgrading your 3.4.5 deployments to the final 3.4.24 version and planning an upgrade to an actively maintained release series (currently 4.0 or later).
Thank so much for your information.
Just to clarify, I’m a litter bit confused about the part: “upgrading your 3.4.5 deployments to the final 3.4.24 version”. Should 3.4.24 version be lower than 3.4.5 version?
Could you tell me the exact version that we should update to?
MongoDB 3.4.5 (released in June 2017) is 2 1/2 years older than 3.4.24 (the final release of the 3.4 series, in January 2020). See Release Notes for MongoDB 3.4 for more details.
Since there have been several years of bug fixes and improvements with no backward-breaking compatibility changes in minor releases, upgrading to the final 3.4.24 release would be a recommended starting point.
Ideally you should plan and test upgrading to a supported server release series (currently MongoDB 4.0 or newer) so your MongoDB software continues to get maintenance fixes including security updates.