HiveMQ is not affected by Log4Shell
Written by Georg Held
Category: HiveMQ HiveMQ Cloud Security
Published: December 13, 2021
Does Log4Shell impact HiveMQ?
TL;DR: No versions of HiveMQ products or HiveMQ Cloud are affected by vulnerability CVE-2021-44228, commonly known as Log4Shell.
On Friday, December 10, 2021, the company LunaSec announced that it discovered a security vulnerability in the widely used Java logging framework Log4j 2.
This vulnerability allows for remote code execution if the framework is used in a version between and including
2.14.1. A fixed artifact with the version
2.15.0 is currently available.
Exposure at HiveMQ
HiveMQ does not use Log4j 2 in any of its products, open-source projects, or in the HiveMQ Cloud platform. Therefore, HiveMQ products are not directly vulnerable and deployments that use only HiveMQ products are secure.
If you deploy your own custom HiveMQ extensions, these extensions could still be affected by CVE-2021-44228.
To check the vulnerability of your extension, run one of the following options:
if you are using gradle as your build tool or
if you are using Maven.
Check the output carefully. If your output contains
log4j-core, update to a version greater than or equal to