It looks like the Couchbase Analytics Service (CBAS) uses Log4j but I could not see a release for Couchbase server to address the log4j vulnerability when I checked the releases and the advisories page here https://www.couchbase.com/alerts.
Is couchbase going to release a version that updates log4j for CBAS or release a workaround etc?
Hi @ianmccloy , thanks for the info.
I have read the blog & the release note 6.6.4, which will updates Log4J to 2.15. Apache recently release Log4j 2.17, will there be a updated version of 6.6.4 which will include the latest version of Log4j?
Couchbase is actively monitoring the situation with additional vulnerabilities discovered in Log4J, the updated version 2.17 resolves CVE-2021-45046 and CVE-2021-45105. Due to how Log4J is used by Couchbase we are not aware of any Couchbase products vulnerable to these security issues. We continue to monitor the research and will be planning additional product updates if needed in addition to our normally scheduled maintenance.