We are using Prometheus. Hope you are aware about the critical vulnerability reported on log4j CVE-2021-44228. We would like to understand if there is any impact. If there is any impact please suggest when the fix is going to be available and if any workaround is available.
Prometheus itself is written in Go rather than Java, so has no issue. However there are various bits of the echosystem (e.g. third party exporters) that might be using Java and therefore could have issues. So it really depends on what you are using. I’d suggest taking stock of what is being used, and then for all the pieces that are written in Java check for updated versions (if needed) from their creators.
Thanks Stuart for the information, is there any official details article i can through ? or can i expect anything soon ?
As it only affects Java applications and Prometheus isn’t a Java application there isn’t really anything “official” to say.
With regards to other applications which are Java and are part of the broader Prometheus ecosystem you’d need to look to whoever owns/manages them for something “official” as it isn’t something the core Prometheus developers can help with (as they aren’t involved with other parts of the ecosystem)
Thanks Stuart,
Thank You for the confirmation.
In addition to CVE-2021-44228, there two more vulnerabilities were reported,
https://nvd.nist.gov/vuln/detail/CVE-2021-4104
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
We would like to understand if there is any impact on Prometheus ?
If there is any impact please suggest when the fix is going to be available and if any workaround is available.
Looking forward.
As before these are both referring to issues with Java applications, so not applicable to the core Prometheus system which are written in Go.