Log4Shell (RCE vulnerability in Apache log4j2)
A few critical vulnerabilities have been discovered in Apache Log4j, which is a commonly used third-party logging framework. These vulnerabilities have been described and named as CVE-2021-44228, CVE-2021-45046, CVE-2021-44832 and CVE-2021-45105 commonly referred to as Log4Shell.
The main consequence of these vulnerabilities is that, if it's possible for a malicious user to introduce custom text or data into the system logs of an affected environment, then that user could potentially send any arbitrary code that would be remotely executed on the server side of the software, which would allow this malicious user to access, alter or harm the service.
Further technical details on the vulnerabilities and their remediation recommendations can be found on the Apache Log4j website.
How this affects your RapidMiner deployment
RapidMiner Studio and RapidMiner AI Hub core components are NOT affected by these vulnerabilities. The only components where this vulnerability could be exploited are RapidMiner Radoop (the extension that provides integration with Hadoop systems) and the Radoop Proxy (proxy component run within Hadoop clusters to simplify communication between Radoop and the cluster).
Although the likelihood is extremely small, there is a theoretical possibility that the vulnerability is in place even if the Radoop extension is not used, just loaded.
At RapidMiner, we have immediately developed and published patches for these two Radoop components.
We strongly encourage all our users with Radoop on their environments to follow the procedure described below to protect against this vulnerability.
How to remediate the vulnerability
Update: the two most recently found vulnerabilities (CVE-2021-44832 and CVE-2021-45105) provide no attack surface, as the vulnerable classes and configurations required to exploit it are not used in our software.
When using Radoop in RapidMiner Studio
Simply launch Studio, and go to Extensions --> Marketplace (Updates & Extensions)....
Make sure that Radoop is updated to a patched version (version 9.10.2 or later, unless you are using Studio version 9.7 or earlier, in which case look for Radoop version 9.7.2).
We recommend updating Radoop even if it’s installed but not used.
When using Radoop in AI Hub
To fix the vulnerability, you need to update to a patched version of the Radoop extension.
You will need to download a different version of the Radoop extension based on the version of RapidMiner AI Hub you are using:
- for RapidMiner AI Hub versions 9.7 or earlier, use Radoop version 9.7.2
- for RapidMiner AI Hub version 9.8 or later, user Radoop version 9.10.2
To update your Radoop extension, follow these steps:
- download the extension
- copy the extension to the persistent RapidMiner home folder in your AI Hub deployment (overwriting the rmx_rad.jar present there is advised)
- restart the RapidMiner Server component to ensure the extension is synced to all Job Agents in your AI Hub deployment. If restarting is undesirable, you can trigger the Central Resource Management functionality via our APIs
When using Radoop Proxy (standalone)
In case you're not using the recommended (docker container based) deployment of Radoop Proxy, and it is running as a standalone service on an edge node in your network, you need to first download the patched version.
To update your standalone Radoop Proxy:
- unpack the downloaded ZIP file
- migrate your configuration from your previously installed version of Radoop Proxy
- stop the old version of Radoop Proxy that was running on your machine
- start the new version
For more details refer to our documentation page detailing standalone Radoop Proxy installation.