Providing an update to the above in response to the coverage to date and also taking time to reflect on the extent of our testing in response to the log4j security vulnerability.
Our tests were two-fold: 1) We went through the code bases of key components to evaluate our logging strategy for externally provided strings and usage of log4j. And 2) we ran a set of tests against our estate in an attempt to trigger the vulnerability.
The outcome of these tests give us confidence that at least the latest (and likely, but not guaranteed, previous versions of) Snowplow components are not exploitable by this vulnerability. However, our dependencies may still be. We continually monitor our dependencies (and their dependencies, and so on) in both our components and containers - and we will of course respond promptly to vulnerability reports and fixes. But the analysis of the vulnerability suggests the reports and fixes may take some time to surface.
Our testing yesterday was performed on the configurations we run ourselves and deploy for our customers, which have the latest versions of components and late (if not latest) versions of the runtime. It is worth noting that these tests would not indicate that your pipeline is safe from this exploit if you are running an older version of Snowplow and/or an affected version of Java,
Anyone consuming our recent Docker images (the most common way to deploy Snowplow OS) should be using an unaffected version of Java. If you’re deploying our jar files, you may be at higher risk.
As a reminder, this vulnerability is expected to have widespread impact. While we’re doing what we can to protect the assets the Snowplow community is responsible for, there may be issues discovered in the platforms our components run on, depend on and integrate with.
Our strong recommendation to our community is to follow the guidance regarding checking and bumping Java versions where you can, and applying the config change where you can’t - ideally both. And as standard, we would also recommend ensuring that you are on the latest versions of our components. The Internet is being actively scanned for this exploit and it’s a trivial test to identify it.
Snowplow Customers in our community reading this can be assured that our confidence around your pipelines remains very high given our commitment to keeping the components and runtime up to date.
This is a gnarly issue that seems like it’s going to run for some time. We wish all of the community the best with this and hope we can support each other - and the wider tech community - through what could be a tough time.