Log4Shell Vulnerability and Aerospike

On December 9th, 2021, a high severity vulnerability called Log4Shell was published as CVE-2021-44228, affecting JVM-based projects using log4j-core with version <= 2.14.1. Aerospike Database, written in C, is not vulnerable to this exploit. The Aerospike REST gateway has been patched in release 1.10.2 and users should upgrade immediately. The Spring Data project depends on log4j-api but not the vulnerable log4j-core. Apache Log4j released a new fix in log4j-core 2.16.0, as the previous 2.15.0 fix did not close the exploit. Aerospike Loader is a command-line tool with minimal potential exposure and will be updated in aerospike/aerospike-loader. The Java client's logging is callback-based and does not use a logging library directly. Skyhook uses Logback framework, which is not vulnerable. Similarly, streaming connectors for Kafka, Pulsar, JMS, Event Stream Processing (ESP), and the XDR Proxy also use Logback and are not affected. The Trino connector does not use log4j-core, while the Spark connector uses the logging mechanism of Spark. Users should stay tuned to updates from Databricks/Apache Spark. Aerospike's assessment found that all customer environments managed by them are unaffected by this CVE.