Open akash-apple opened 7 months ago
I'm not sure where banzaicloud's zookeeper operator comes from, but the one that Solr relies on is https://github.com/pravega/zookeeper-operator. The latest release of the is 0.2.15
The log4j 1.x CVEs were addressed in Zookeeper 3.7.1, which the 0.2.15 version of the Zookeeper Operator uses.
Hey team, Latest released solr-operator (https://artifacthub.io/packages/helm/apache-solr/solr-operator) v0.8.0 has a dependency on ZooKeeper operator (https://artifacthub.io/packages/helm/banzaicloud-stable/zookeeper-operator) v0.2.15 which in turn depends on older ZooKeeper version exposing log4j 1.x usage for Solr.
Latest ZooKeeper version v0.3.0 mitigated this issue by upgrading underlying ZooKeeper deps. This issue is created to request release of new solr-operator chart that depends on updated ZooKeeper to remediate log4j exposure for downstream Ranger/Solr users.