Security Advisory 14th Dec 2021
Update: 24th December 2021
We have updated the Apache Spark JDBC driver used by Matillion ETL for Delta Lake on Databricks customers as advised by Databricks. This update is now available for customers as version 1.59.9.
Our analysis reveals that all log4j dependencies are v2.17, except one; there is a potential vulnerability on a version of sb_slf4j-log4j being reported.
We are working with Databricks to ascertain any necessary steps for remediation, and are still awaiting an update as of 24th Dec 2021.
Overview
Matillion continues our analysis of the Apache Log4j vulnerability (CVE-2021-44228) announced on December 9, 2021. Since the initial announcement, in addition to monitoring the threat, our Security and Engineering teams have been working diligently to understand the scope and risk profile of this vulnerability and fix any impacted systems.
Matillion ETL on AWS and GCP (Redshift, BigQuery & Snowflake but excluding Databricks)
We have validated all versions of the product from 1.37.6 to 1.59 available in AWS and confirmed that none of the included third-party dependencies make use of the vulnerable log4j library (Ver 2.0.1-2.15.0) by default.
Matillion ETL on Azure (all editions)
We have validated version 1.59 (latest release) and confirmed that Matillion ETL nor any of the included third-party dependencies make use of the Log4j library (Ver 2.0.1-2.15.0) by default. Whilst we are confident that versions prior to 1.59 do not contain the affected libraries, we cannot conclusively rule out the possibility of different cloud vendors introducing a vulnerable third-party dependency during build. We will continue to validate this and provide a further update by the end of the week.
On Matillion ETL for Databricks (on AWS and Azure)
We have identified that the Apache Spark JDBC driver used by Matillion ETL for Databricks Deltalake customers could be vulnerable to this issue if customers have specifically configured driver logging. We are working with Databricks to ascertain any necessary steps for remediation.
Due to the way we automate the image building process, we cannot conclusively rule out the possibility of different cloud vendors introducing a vulnerable third-party dependency during build. We have carried out sufficient manual checks to be confident that there are no differences, but will continue to validate this and provide further updates, if required.
Custom upgrades or configurations/AWS Private Image Build
We are aware that some customers may have made changes to their METL instances since provision. Where this is the case we are unable to offer conclusive guidance that your instance remains free from affected versions of log4j (Ver 2.0.1-2.15.0) . Where custom changes to a build have been made internally we recommend that you contact customer support or your internal security team for further guidance.
Please note custom jdbc drivers uploaded into Matillion ETL could include the log4j vulnerability. We recommend checking with the vendors of those drivers. You can view your custom drivers here.
Data Loader
Data Loader nor any included third-party dependencies make use of the Log4j library (Ver 2.0.1-2.15.0) as of December 14th 2021. After an extensive investigation we have no evidence of any malicious attempt to exploit any vulnerable libraries in Data Loader.
Matillion BI Services
Customers using our BI Services are not affected by this vulnerability. We have undertaken scans of the supporting internal and external infrastructure and confirm we do not make use of affected libraries.
Need more help?
We will be continuing to assess the situation and perform additional scans on different versions of Matillion ETL. A further update will be provided by the end of the week (17th December 2021).
Updated advisory can be here.
For further assistance, submit a case at the Matillion Support Portal.