HiveMQ is not affected by Log4Shell

HiveMQ is not affected by Log4Shell

author portrait

Written by Georg Held

Category: HiveMQ HiveMQ Cloud Security

Published: December 13, 2021


Does Log4Shell impact HiveMQ?

TL;DR: No versions of HiveMQ products or HiveMQ Cloud are affected by vulnerability CVE-2021-44228, commonly known as Log4Shell.

Background Information

On Friday, December 10, 2021, the company LunaSec announced that it discovered a security vulnerability in the widely used Java logging framework Log4j 2.

This vulnerability allows for remote code execution if the framework is used in a version between and including 2.0-beta9 and 2.14.1. A fixed artifact with the version 2.15.0 is currently available.

Exposure at HiveMQ

HiveMQ does not use Log4j 2 in any of its products, open-source projects, or in the HiveMQ Cloud platform. Therefore, HiveMQ products are not directly vulnerable and deployments that use only HiveMQ products are secure.

If you deploy your own custom HiveMQ extensions, these extensions could still be affected by CVE-2021-44228.

To check the vulnerability of your extension, run one of the following options:

./gradlew dependencies

if you are using gradle as your build tool or

mvn dependency:tree

if you are using Maven.

Check the output carefully. If your output contains log4j-core, update to a version greater than or equal to 2.15.0 immediately.

author Georg Held

About Georg Held

Georg serves as an engineering manager at HiveMQ. Under his responsibility the HiveMQ Broker, Enterprise Extensions, and Swarm are developed.
mail icon Contact Georg

newer posts Using MQTT and Raspberry Pi to Visualize Sensor Data on a TilesFX Dashboard
MQTT on Raspberry Pi: Send Sensor Data to HiveMQ Cloud with Java and Pi4J older posts