Several MariaDB customers have asked us about CVE-2021-44228 aka “Log4Shell”, a vulnerability in the Log4j Java logging framework which may allow remote code execution (RCE).
Update: The detail here also addresses the second Log4j vulnerability, CVE-2021-45046.
No MariaDB product is directly impacted by this CVE. MariaDB Connector/J can optionally be configured to use Log4j. Users of MariaDB Connector/J should see this blog for a detailed explanation of CVE-2021-44228 and mitigations.
MariaDB Hosted Systems
MariaDB’s security team has reviewed our systems. While we have no vulnerable customer-facing systems, an internal system used a version of Log4j covered by CVE-2021-44228. We have mitigated the vulnerability in this internal system and reviewed all logs for suspicious activity.
For details on MariaDB’s end-to-end security strategy, visit our Trust Center.
For information on reporting a security vulnerability, visit our vulnerability reporting page.