Log4Shell vulnerability

Owned by Florian Raschbichler
Last updated: Dec 13, 2021
1 min read

Question

Which HiveMQ version are affected by CVE-2021-44228 (Log4Shell)?

What actions do I need to take in my HiveMQ deployment?

Answer

HiveMQ is NOT affected by this vulnerability, as the Log4j framework is not utilised.

Background Information

On Friday, December 10, 2021, the company LunaSec announced that it discovered a security vulnerability in the widely used Java logging framework Log4j 2.

This vulnerability allows for remote code execution if the framework is used in a version between and including 2.0-beta9 and 2.14.1. A fixed artifact with the version 2.15.0 is currently available.

Exposure at HiveMQ

HiveMQ does not use Log4j 2 in any of its products, open-source projects, or in the HiveMQ Cloud platform. Therefore, HiveMQ products are not directly vulnerable and deployments that use only HiveMQ products are secure.

If you deploy your own custom HiveMQ extensions, these extensions could still be affected by CVE-2021-44228.

To check the vulnerability of your extension, run one of the following options:

./gradlew dependencies

if you are using gradle as your build tool or

mvn dependency:tree

if you are using Maven.

Check the output carefully. If your output contains log4j-core, update to a version greater than or equal to 2.15.0 immediately.