FYI I got this email from Google a few minutes ago, I could not find an online page as reference so I’m posting it here:
Dear Google Cloud customer
Google Cloud is actively following the security vulnerability in the open-source Apache “Log4j 2" utility (CVE-2021-44228). We are currently assessing the potential impact of the vulnerability for Google Cloud products and services. This is an ongoing event and we will continue to provide updates through our customer communications channels.
A security vulnerability, CVE-2021-44228, has been disclosed in the Apache Log4j versions 2.0 to 2.14.1 and Dataflow users may be vulnerable to Log4j 2 under certain circumstances. Specifically, users that meet the following criteria should take immediate action:
Use Apache Beam version 2.31.0 or older version
Include a vulnerable version of Log4j either directly or indirectly in the Apache Beam pipeline. Users can identify if they are using an impacted Log4j 2 version in their Dataflow pipeline by inspecting the classpath or by inspecting the filesToStage pipeline option if they are not using an uber jar.
Log input. (Apache Beam, by default, does not log user provided input but users can change this behavior)
Immediate Action
We strongly recommend the following actions.
Users using Apache Beam version 2.31.0 or older should update all Dataflow pipelines to Apache Beam version 2.32.0 or newer. These Apache Beam versions do not have any direct dependencies on Log4j 2.
All users should update direct and indirect dependencies (if any) on Log4j 2 to version 2.15.0 or later by updating your build configuration.
Additional Notes
Cloud Dataflow workers do not carry the Log4j 2 dependency.
Apache Beam versions 2.32.0 or later do not have public facing dependencies on Log4j 2.
Cloud Dataflow Templates base image does not have a Log4j 2 dependency. Google provided templates do not have a dependency on the impacted Log4j 2 versions
Apache Beam, by default, does not log user provided input but users can change this behavior. Note that users might still be impacted if user code, a dependency, or a transitive dependency is using an impacted Log4j 2 dependency AND user code logs user provided and/or untrusted input.
Apache Beam test environment (not available to Apache Beam users) has been updated to the latest version of Log4j on Dec 10, 2021.
Background
The Apache Log4j utility is a commonly used component for logging requests. On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j version 2.14.1 or below to be compromised and allow an attacker to execute arbitrary code.
On December 10, 2021, NIST published a critical Common Vulnerabilities and Exposure alert, CVE-2021-44228. More specifically, Java Naming Directory Interface (JNDI) features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from remote servers when message lookup substitution is enabled.