Question
Which HiveMQ version are affected by CVE-2021-44228 (Log4Shell)?
What actions do I need to take in my HiveMQ deployment?
Answer
HiveMQ is NOT affected by this vulnerability, as the Log4j framework is not utilised.
Background Information
On Friday, December 10, 2021, the company LunaSec announced that it discovered a security vulnerability in the widely used Java logging framework Log4j 2.
This vulnerability allows for remote code execution if the framework is used in a version between and including 2.0-beta9
and 2.14.1
. A fixed artifact with the version 2.15.0
is currently available.
Exposure at HiveMQ
HiveMQ does not use Log4j 2 in any of its products, open-source projects, or in the HiveMQ Cloud platform. Therefore, HiveMQ products are not directly vulnerable and deployments that use only HiveMQ products are secure.
If you deploy your own custom HiveMQ extensions, these extensions could still be affected by CVE-2021-44228.
To check the vulnerability of your extension, run one of the following options:
./gradlew dependencies
if you are using gradle as your build tool or
mvn dependency:tree
if you are using Maven.
Check the output carefully. If your output contains log4j-core
, update to a version greater than or equal to 2.15.0
immediately.