Several MariaDB customers have asked us about CVE-2021-44228 aka “Log4Shell”, a vulnerability in the Log4j Java logging framework which may allow remote code execution (RCE).
Update: The detail here also addresses the second Log4j vulnerability, CVE-2021-45046.
MariaDB Products
No MariaDB product is directly impacted by this CVE. MariaDB Connector/J can optionally be configured to use Log4j. Users of MariaDB Connector/J should see this blog for a detailed explanation of CVE-2021-44228 and mitigations.
MariaDB Hosted Systems
MariaDB’s security team has reviewed our systems. While we have no vulnerable customer-facing systems, an internal system used a version of Log4j covered by CVE-2021-44228. We have mitigated the vulnerability in this internal system and reviewed all logs for suspicious activity.
Additional Information
If you have any questions about this, please contact us either through our support site (for customers) or by clicking here.
For details on MariaDB’s end-to-end security strategy, visit our Trust Center.
For information on reporting a security vulnerability, visit our vulnerability reporting page.