Today’s blog is a short but quite important one. As you might be aware, a new vulnerability has been identified in Apache Log4j, a Java library intended to create error logs in the applications. It has been assigned CVE CVE-2021-44228. The issue itself is quite serious, remote code execution through properly crafted log messages with severity assessed as 10/10. Quite nasty thing and, as you may expect, everyone scrambled to update the software they use and patch the software they wrote.
Just recently Vitess has published a patch release for v12, making it v12.0.1. It is, on top of a couple small bug fixes, intended to bump the log4j-api version to the fixed one, not affected by the CVE-2021-44228. We would strongly recommend proceeding with the upgrade. We have described one way to do it, in a Kubernetes environment using Vitess Operator in one of our blog posts. The only change is that you should use vitess/lite:v12.0.1 as the new version.
Make sure that you upgrade The Vitess and you stay safe and protected against this Log4Shell vulnerability.
