IN THIS ARTICLE
This article explains the Apache Log4j CVE-2021-44228 vulnerability and the level of its impact to Qumulo. It applies to clusters that run any version of Qumulo Core.
Level of Impact
Qumulo is not susceptible to this vulnerability and the Qumulo Linux subsystem does not contain any of the components or services that can trigger this Java Naming and Directory Interface (JNDI) exploit.
This vulnerability allows remote attackers to submit a specially crafted request to vulnerable systems that run unpatched versions of Apache Log4j 2 and then instruct that system to download and execute a malicious payload.
No action is required on your part to protect your Qumulo clusters from this vulnerability. However, if you currently deploy Apache Log4j 2 in your environment, we recommend validating your current running version against the latest available build. For more information, see Apache Log4j Security Vulnerabilities in the Apache Logging Services documentation.