On Dec 10th, a remote code execution vulnerability in the log4j2 library was published (CVE-2021-44228). Etlworks uses the latest log4j2 2.17.x and therefore is not affected by this CVE.
Etlworks is shipped with the legacy JDBC driver for ElastiCache which contains an older version of the log4j2 library packaged in the JDBC jar file. The driver is not used by any of the components and the does not include code related to CVE-2021-44228 but we removed it from the distribution package anyway. The update is available immediately for all self-hosted customers. All instances managed by Etlworks have been already updated.
Please sign in to leave a comment.