Sentry's response to Log4j vulnerability CVE-2021-44228
Sentry is not impacted by the log4j vulnerabilities, CVE-2021-44228 or CVE-2021-45046, also known as log4shell.
On December 9th, 2021 CVE-2021-44228 was announced, impacting versions 2.x of log4j (also known as log4j2). This issue was believed to be fixed in log4j 2.15.0, however on December 14th, 2021 CVE-2021-45046 was announced, and log4j 2.16.0 was released, fixing the additional exploitation vectors.
Sentry is written in Python and Rust, and therefore does not make use of the Java logging library, log4j. There are two components, Kafka and Zookeeper, used by Sentry that are written in Java, and make use of the unimpacted log4j 1.x series. These products are also not impacted by the log4j vulnerabilities (Kafka, Zookeeper).
Sentry’s SaaS platform was not impacted by the log4j vulnerabilities. As a Python application, we do not make use of log4j directly. While thoroughly examining our cloud environment, we determined that we are not running any impacted software in a way that is publicly available. An internal-only ElasticSearch cluster was the only impacted software and has already undergone updates to mitigate the issue.
Self hosted Sentry, in its default configuration, is not impacted by the log4j vulnerabilities. Self hosted does make use of Kafka and Zookeeper, which as mentioned above are not vulnerable. If running self hosted Sentry in a non-default setup, you may need to evaluate if you are at risk of these vulnerabilities impacting your specific environment.
The sentry-java SDK does not make use of log4j directly, however Sentry offers an integration with log4j2 through
sentry-log4j2. You should control which version of log4j2 your project is using by directly adding a dependency to your Maven or Gradle project with the unaffected version 2.16.0. Sentry’s integration with log4j was updated to require that version or higher, to help avoid situations where users are bringing log4j2 as a transient dependency of Sentry’s integration instead of a direct dependency.