Share on Twitter
Share on Facebook
Share on HackerNews

Sentry's response to Log4j vulnerability CVE-2021-44228

Sentry is not impacted by the log4j vulnerabilities, CVE-2021-44228 or CVE-2021-45046, also known as log4shell.

On December 9th, 2021 CVE-2021-44228 was announced, impacting versions 2.x of log4j (also known as log4j2). This issue was believed to be fixed in log4j 2.15.0, however on December 14th, 2021 CVE-2021-45046 was announced, and log4j 2.16.0 was released, fixing the additional exploitation vectors.

Sentry is written in Python and Rust, and therefore does not make use of the Java logging library, log4j. There are two components, Kafka and Zookeeper, used by Sentry that are written in Java, and make use of the unimpacted log4j 1.x series. These products are also not impacted by the log4j vulnerabilities (Kafka, Zookeeper).

SaaS

Sentry’s SaaS platform was not impacted by the log4j vulnerabilities. As a Python application, we do not make use of log4j directly. While thoroughly examining our cloud environment, we determined that we are not running any impacted software in a way that is publicly available. An internal-only ElasticSearch cluster was the only impacted software and has already undergone updates to mitigate the issue.

Self Hosted

Self hosted Sentry, in its default configuration, is not impacted by the log4j vulnerabilities. Self hosted does make use of Kafka and Zookeeper, which as mentioned above are not vulnerable. If running self hosted Sentry in a non-default setup, you may need to evaluate if you are at risk of these vulnerabilities impacting your specific environment.

SDKs

The sentry-java SDK does not make use of log4j directly, however Sentry offers an integration with log4j2 through sentry-log4j2. You should control which version of log4j2 your project is using by directly adding a dependency to your Maven or Gradle project with the unaffected version 2.16.0. Sentry’s integration with log4j was updated to require that version or higher, to help avoid situations where users are bringing log4j2 as a transient dependency of Sentry’s integration instead of a direct dependency.

Your code is broken. Let's Fix it.
Get Started

More from the Sentry blog

ChangelogDashboardsDiscoverDogfooding ChroniclesEcosystemError MonitoringEventsGuest PostsOpen SourceRelease HealthSDK UpdatesSentry

Do you like corporate newsletters?

Neither do we. Sign up anyway.

© 2022 • Sentry is a registered Trademark
of Functional Software, Inc.