Log4j 2 Looker updates

What happened / What is the Apache Log4j vulnerability?

Multiple security vulnerabilities in Apache Log4j 2.X, including CVE-2021-44228,CVE-2021-45046,CVE-2021-44832,CVE-2021-45105, CVE-2021-44832, have been disclosed starting on December 10, 2021. The vulnerabilities range from a critical 0-day exploit in the library that can allow attackers to perform Remote Code Execution (RCE) to potential DOS concerns, all with varying levels of CVSS scores.

Is Looker impacted? How did Looker respond?

Looker uses Log4j in its application and the team has addressed the vulnerability by reviewing Looker's usage and configuration of the Log4j libraries and upgrading the Log4j libraries with a patch that includes at least version 2.17.0 released by Apache as indicated in the Apache Log4j Security Vulnerabilities website.

Looker-hosted instances have been updated with a Looker version that uses Log4j 2.17.0. Third party driver dependencies have been updated to the most up-to-date version provided by the third parties. Customers on customer hosted instances should update their instance as soon as possible to a version listed at the bottom of this page which contains these updated versions of Log4j 2 for Looker and third party drivers.

Looker product and security teams have determined that Looker is not vulnerable to CVE-2021-44832 due to our usage and configuration of the library.

How has Looker mitigated the Log4j vulnerability?

Looker has updated or released patched versions with updated Log4j libraries.  Looker will continue to follow a remediation process to monitor and update our Log4j libraries as new updates become available and as our third parties update their libraries. Looker has set up monitoring and alerting in response to the known Log4j vulnerabilities and, if needed, we will communicate on issues through our standard incident response process.

How can I see what version my instance is on?

Click on the question mark icon in the upper-right section of your Looker instance. Your version number will be shown to the right of the Release Notes section.