Apache Log4j2 Overview

Log4j2 Notice

Our security team has performed a thorough review of our products in regards to the log4j vulnerability. It has been determined that the only CData products that reference log4j, include a previous version of log4j that does not appear to be affected by this vulnerability. However out of an abundance of caution we have updated affected products to remove log4j dependencies entirely.

Only two products in the CData portfolio include a reference for log4j: CData Drivers for Kafka, and CData ArcESB (Java). All references to log4j have been removed from the latest versions of either product, and these new builds are immediately available online -

• CData Drivers for Kafka: https://www.cdata.com/drivers/kafka/download/
• ArcESB: https://www.arcesb.com/download/

Update ArcESB

ArcESB 2020 and releases of RSSBus Connect prior to this (RSSBus Connect 2016 through 2019) do not contain any references to log4j and are unaffected by this vulnerability. Similarly, the 2021 release of ArcESB for Windows includes no assemblies that contain the log4j vulnerability.

If you are using the Windows/.NET edition of ArcESB or a Java release before 21.0.7963.0, you can proceed without changes. In recent releases of the Java version of ArcESB 2021 (21.0.7963.0 and later), support was added for a Kafka connector (a connector for integrating with Apache Kafka), which does embed the log4j-1.2.17.jar where a security vulnerability has been found. A review from our development team concludes that we don't believe this code is exploitable; nevertheless, we will be making new builds of the Kafka JDBC driver available soon that removes this embedded jar.

Users of the existing distribution of ArcESB 2021 Java Edition (21.0.7963.0 and later) can remove the cdata.jdbc.apachekafka.jar from the lib folder of their Java servlet container to remove any doubt about the presence of the vulnerability.