Question
Which HiveMQ version are affected by CVE-2021-44228 (Log4Shell)?
What actions do I need to take in my HiveMQ deployment?
Answer
| Info |
|---|
HiveMQ is NOT affected by this vulnerability, as the Log4j framework is not utilised. |
Background Information
On Friday, December 10, 2021, the company LunaSec announced that it discovered a security vulnerability in the widely used Java logging framework Log4j 2.
This vulnerability allows for remote code execution if the framework is used in a version between and including 2.0-beta9 and 2.14.1. A fixed artifact with the version 2.15.0 is currently available.
Exposure at HiveMQ
HiveMQ does not use Log4j 2 in any of its products, open-source projects, or in the HiveMQ Cloud platform. Therefore, HiveMQ products are not directly vulnerable and deployments that use only HiveMQ products are secure.
...