Does Log4Shell impact HiveMQ?

TL;DR: No versions of HiveMQ products or HiveMQ Cloud are affected by vulnerability CVE-2021-44228, commonly known as Log4Shell.

Background Information

On Friday, December 10, 2021, the company LunaSec announced that it discovered a security vulnerability in the widely used Java logging framework Log4j 2.

This vulnerability allows for remote code execution if the framework is used in a version between and including 2.0-beta9 and 2.14.1. A fixed artifact with the version 2.15.0 is currently available.

Exposure at HiveMQ

HiveMQ does not use Log4j 2 in any of its products, open-source projects, or in the HiveMQ Cloud platform. Therefore, HiveMQ products are not directly vulnerable and deployments that use only HiveMQ products are secure.

If you deploy your own custom HiveMQ extensions, these extensions could still be affected by CVE-2021-44228.

To check the vulnerability of your extension, run one of the following options:

./gradlew dependencies

if you are using gradle as your build tool or

mvn dependency:tree

if you are using Maven.

Check the output carefully. If your output contains log4j-core, update to a version greater than or equal to 2.15.0 immediately.

×

About Georg Held

Georg serves as an engineering manager at HiveMQ. Under his responsibility the HiveMQ Broker, Enterprise Extensions, and Swarm are developed.

Contact Georg