HDP 3.1.5 Release Notes
Also available as:
PDF

CVE 2021-44228 Remediation for HDP 3.1.5 and Ambari 2.7.5

As mentioned in Cloudera Technical Service Bulletin 2021-545 (Critical vulnerability in log4j2 CVE-2021-44228), the Hortonworks Data Platform (HDP) and Ambari are impacted by the recent Apache Log4j2 vulnerability.

As per that bulletin: The Apache Security team has released a security advisory for CVE-2021-44228 which affects Apache Log4j2. A malicious user could exploit this vulnerability to run arbitrary code as the user or service account running the affected software. Software products using log4j versions 2.0 through 2.14.1 are affected and log4j 1.x is not affected. Cloudera is making short-term workarounds available for affected software and is in the process of creating new releases containing fixes for this CVE.

Short Term Resolution

Remediation steps are outlined in the TSB-545 documentation. Be aware that the following actions are pulling the vulnerable jar back in action again:
  • Adding service
  • Scaling up cluster
  • Enabling features like: LZO, HDFS HA

Long Term Resolution - HDP 3.1.5.6178 and Ambari 2.7.5.27

Please follow the upgrade instructions for minor upgrades to replace the vulnerable HDP and Ambari bits. The instruction for updating the JDBC driver (affected by this vulnerability) can be followed here.

HDP bits are built on top of the GA’d HDP 3.1.5.6091 with log4j-2.16.0 and the Ambari bits include 2.7.5.0 plus all cumulative fixes so far including log4j-2.16.0. For more information, see Fixed Issues for Ambari 2.7.5.27.