It looks like the Couchbase Analytics Service (CBAS) uses Log4j but I could not see a release for Couchbase server to address the log4j vulnerability when I checked the releases and the advisories page here https://www.couchbase.com/alerts.
Is couchbase going to release a version that updates log4j for CBAS or release a workaround etc?
Thank you for using Couchbase and participating in our community forums.
I would encourage you to review our blog post What to Know About the Log4j Vulnerability CVE-2021-44228 which has details about the affected software and mitigations.
Ian McCloy, Couchbase Principal Product Manager
Great thanks @ianmccloy that helps!
Hi @ianmccloy , thanks for the info.
I have read the blog & the release note 6.6.4, which will updates Log4J to 2.15. Apache recently release Log4j 2.17, will there be a updated version of 6.6.4 which will include the latest version of Log4j?
Couchbase is actively monitoring the situation with additional vulnerabilities discovered in Log4J, the updated version 2.17 resolves CVE-2021-45046 and CVE-2021-45105. Due to how Log4J is used by Couchbase we are not aware of any Couchbase products vulnerable to these security issues. We continue to monitor the research and will be planning additional product updates if needed in addition to our normally scheduled maintenance.