Back to Blog Home

Sentry's response to Log4j vulnerability CVE-2021-44228

Alek Amrani image

Alek Amrani -

Sentry is not impacted by the log4j vulnerabilities, CVE-2021-44228 or CVE-2021-45046, also known as log4shell.

On December 9th, 2021 CVE-2021-44228 was announced, impacting versions 2.x of log4j (also known as log4j2). This issue was believed to be fixed in log4j 2.15.0, however on December 14th, 2021 CVE-2021-45046 was announced, and log4j 2.16.0 was released, fixing the additional exploitation vectors.

Sentry is written in Python and Rust, and therefore does not make use of the Java logging library, log4j. There are two components, Kafka and Zookeeper, used by Sentry that are written in Java, and make use of the unimpacted log4j 1.x series. These products are also not impacted by the log4j vulnerabilities (Kafka, Zookeeper).

SaaS

Sentry’s SaaS platform was not impacted by the log4j vulnerabilities. As a Python application, we do not make use of log4j directly. While thoroughly examining our cloud environment, we determined that we are not running any impacted software in a way that is publicly available. An internal-only ElasticSearch cluster was the only impacted software and has already undergone updates to mitigate the issue.

Self Hosted

Self hosted Sentry, in its default configuration, is not impacted by the log4j vulnerabilities. Self hosted does make use of Kafka and Zookeeper, which as mentioned above are not vulnerable. If running self hosted Sentry in a non-default setup, you may need to evaluate if you are at risk of these vulnerabilities impacting your specific environment.

SDKs

The sentry-java SDK does not make use of log4j directly, however Sentry offers an integration with log4j2 through sentry-log4j2. You should control which version of log4j2 your project is using by directly adding a dependency to your Maven or Gradle project with the unaffected version 2.16.0. Sentry’s integration with log4j was updated to require that version or higher, to help avoid situations where users are bringing log4j2 as a transient dependency of Sentry’s integration instead of a direct dependency.

Share

Share on Twitter
Share on Facebook
Share on HackerNews
Share on LinkedIn

Published

Sentry Sign Up CTA

Code breaks, fix it faster

Sign up for Sentry and monitor your application in minutes.

Try Sentry Free

Topics

Sentry

New product releases and exclusive demos

Listen to the Syntax Podcast

Of course we sponsor a developer podcast. Check it out on your favorite listening platform.

Listen To Syntax
    TwitterGitHubDribbbleLinkedinDiscord
© 2024 • Sentry is a registered Trademark of Functional Software, Inc.