Patch for Log4j CVE-2021-44228


TigerGraph is aware of the recently disclosed security vulnerability relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). Additionally, TigerGraph is aware of a vulnerability affecting Apache Log4j v1 (CVE-2021-4104)

TigerGraph has created a patch to address both of these issues.

The provided patch will update the GSQL Server and Client to use Log4j 2.17.0 and remove the JMSAppender.class from the Apache Kafka and Apache ZooKeeper package included in TigerGraph. This resolution is described here: Apache Kafka

Below we list TigerGraph (TG) components that are using Log4j or Log4j2 and the process to apply the patch.

TG 2.5.y and TG 2.6.y

GSQL Server - Apache Log4j 1.2.17 GSQL Client - Not affected (doesn’t use log4j)

TG 3.x.y GSQL Server - Apache Log4j 1.2.17 GSQL Client Apache Log4j 2.13.3 (>= TG 3.1.0) Apache Log4j 2.13.1 (< TG 3.1.0)

TG 2.x Kafka (kafka_2.10- - log4j 1.2.17 ZooKeeper 3.4.6 (zookeeper-3.4.6.tar.gz) - log4j 1.2.16

TG 3.0.x Kafka 2.3.0 (kafka_2.12-2.3.0.tar.gz) - log4j 1.2.17 ZooKeeper 3.5.8 (zookeeper-3.5.8).tar.gz - log4j 1.2.17

TG 3.1.x - 3.5.x Kafka 2.5.1 (kafka_2.12-2.5.1.tar.gz) - log4j 1.2.17 ZooKeeper 3.6.3 (zookeeper-3.6.3).tar.gz - log4j 1.2.17

Please note that the builds of Apache Kafka and Apache Zookeeper offered in TG currently use log4j 1.2.17 or 1.2.16, which is not affected by CVE-2021-44228. As Apache Kafka and Apache ZooKeeper are updated to use Log4j version 2.16.0 or greater, TigerGraph will work to incorporate these updates.


1.Check your TigerGraph version:

gadmin version

2.If your TigerGraph version is not one of the following versions, please upgrade TigerGraph to one of them by following the upgrade documentation( before proceeding to step 3. 3.x: 3.0.5 3.0.6 3.1.1 3.1.5 3.1.6 3.2.0 3.2.1 3.2.2 3.3.0 2.x: 2.5.2 2.5.3 2.5.4 2.6.6 Note that you can download the above TigerGraph enterprise installation package from

3.Download the security patch for TigerGraph for TigerGraph v3 or v2 from the link below. Note: DO NOT change the x/y in the url. 3.x: 2.x:

4.Untar it and run the included script on the TigerGraph cluster machine

Note: As part of running the script, the Kafka, ZooKeeper, and GSQL services must be restarted. This means the cluster will be temporarily unavailable. The patch application process should only take a few minutes.

Note: All loading jobs should be aborted prior to running the patch


tar -zxvf log4j-fix-3.x.y.tgz
cd log4j-fix-3.x.y


tar -zxvf log4j-fix-2.x.y.tgz
cd log4j-fix-2.x.y

Offline Patching

To run the patch offline you will have to download the files on a separate server and transfer them to the server that needs to be patched.

The GSQL jar files must be moved into the gsql-jars directory in the directory that is untarred. The log4j jar will need to be in the same directory as

So it will look like this:

├── gsql-jars
 │   ├── gsql-3.1.6.jar
 │   └── gsql_client-3.1.6.jar
├── log4j-1.2.17.jar

You can download the gsql jar for your version here:${TG_VERSION}/gsql-${TG_VERSION}.jar

The following files will need to be edited for offline patching

The below sed commands will comment out the lines used for online patching

sed -i -e '23s/^/# /' -e '26,27s/^/# /'
sed -i -e '15s/^/# /' -e '17s/^/# /'

Or you may comment them out manually. source,bash] Comment out lines 23, 26 and 27 in 23 #rm -rf gsql-jars/* 26 #curl --fail -k -LO${TG_VERSION}/gsql-${TG_VERSION}.jar 27 #curl --fail -k -LO${TG_VERSION}/gsql_client-${TG_VERSION}.jar Comment out line 15 and 17 in 15 #rm -rf log4j-1.2.17.jar 17 #curl --fail -k -LO

Once the files have been edited you may now the ./ file

K8S TG image patch

●For our official public docker registry user, the latest version k8s docker image has already been patched. The k8s deployment file is still working, only suggest using below image

●For private k8s docker registry user, please refer to the dockerfile as below link:

Validating the Patch

To validate GSQL client:

mkdir validate_gsql_client
cd validate_gsql_client
jar xf <TG_APP_ROOT>/dev/gdk/gsql/lib/gsql_client.jar
cat META-INF/maven/org.apache.logging.log4j/log4j-core/

To validate GSQL server:

mkdir validate_gsql\
cd validate_gsql
jar xf <TG_APP_ROOT>/dev/gdk/gsql/lib/.tg_dbs_gsqld.jar
cat META-INF/maven/org.apache.logging.log4j/log4j-core/

Both outputs (GSQL client and server) should be:

#Created by Apache Maven 3.8.4

To validate Kafka:

mkdir validate_kafka
cd validate_kafka
jar xf <TG_APP_ROOT>/kafka/libs/log4j-1.2.17.jar
find . -name JMSAppender.class

There should be no output

To validate Zookeeper:

mkdir validate_zk
cd validate_zk
jar xf <TG_APP_ROOT>/zk/libs/log4j-1.2.17.jar
find . -name JMSAppender.class

If you have any questions or require assistance, please contact TigerGraph Support by opening a ticket at or emailing

We’re here to help!