Upgrade log4j libraries on Couchbase Server 6.6.0-7909 (EE)

We got a vulnerability report from our security team and they are reporting that we need to update log4j in order to be compliant, is there any documentation to do this activity or what will be the steps to get rid of these vulnerabilties?

Upgrade to Apache Log4j version 2.15.0 or later, or apply the vendor mitigation.

Upgrading to the latest versions for Apache Log4j is highly recommended as intermediate versions / patches have known high severity vulnerabilities and the vendor is updating their advisories often as new research and knowledge about the impact of Log4j is discovered. Refer to Log4j – for the latest versions.

Can you provide the CVE? Then I can search for tickets regarding what action should be taken. Maybe it’s NVD - CVE-2021-44228 ?

Couchbase Server 6.x is end-of-life, I would imagine the recommended remediation is to upgrade.

Hi, yes CVE is CVE-2021-44228, related to upgrade we will check if we can do it right now or we can do later

The fix for 6.6.x is in 6.6.5. So upgrading to that would be sufficient. But since you’re upgrading anyway, might as well go to 7.6.1.

I am not sure if we will upgrade immediately so my question will be if I can update the libraries under /opt/couchbase/lib/cbas/repo from 2.13.3 to latest ones 2.23.1

log4j-api-2.13.3.jar
log4j-core-2.13.3.jar
log4j-jcl-2.13.3.jar
log4j-jul-2.13.3.jar
log4j-slf4j-impl-2.13.3.jar
log4j-web-2.13.3.jar

The only recommended remediation is to upgrade.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.