Amazon released a security alert:
“We are actively patching all sub-systems that use Log4j2 by applying updates. The Kinesis Client Library (KCL) version 2.X and the Kinesis Producer Library (KPL) are not impacted. For customers using KCL 1.x, we have released an updated version and we strongly recommend that all KCL version 1.x customers upgrade to KCL version 1.14.5 (or higher) which is available.”
The enricher and S3 loader probably need to be upgraded to recommend kinesis client library (1.14.5)?
Thanks for the update. We’re prioritising the assets which potentially have log4j on their classpath in production. The KCL only includes log4j as a test depedency so we haven’t bumped that yet. We will update to the latest KCL once we’ve iterated through the other dependencies/assets we feel are more pressing to update.
Please see the advisory for more information on this: Advisory: Impact of Log4j 2 CVE-2021-44228 on Snowplow components - #6 by stevecs
We had to pull the applications due to our own internal security guidelines, do you have rough timeline for bump?
Hopefully soon. We’re going to try and upgrade KCL in Enrich with the upcoming v2.0.4 release. If it upgrades with no problems we’ll include it. If it decides to not behave itself, we’ll move it to v2.0.5.
S3 Loader should be easier, as it’s only a patch bump, so we’ll try and get that done before the end of the week for you.
S3 Loader v2.1.2 is out with the KCL bump for you.
We’re going to push out a v2.0.4 of Enrich first since thats further along with its internal testing. Then we will bump the KCL in Enrich in a v2.0.5. We’ll start that as soon as v2.0.4 is done, with a aim for the end of the week hopefully.
Very much appreciated and thank you for the reply during what I can imagine is very busy time. We all should be winding down for the Christmas/holiday break, not the opposite. I hope everything goes smoothly for you guys investigating the classpath of priority assets.