Apache Log4j 1.x Multiple Vulnerabilities

[mraslam]

Hi,

We have detected Log4j Vulnerabilities in the nessus scans related to the Zookeeper Stateful being used within Nifi Helm Chart. Is there a way to update the Log4j library or use the latest version ?

Please find the details below.

156860 (0/6) Apache Log4j 1.x Multiple Vulnerabilities

Path : /opt/bitnami/zookeeper/bin/../lib/log4j-1.2.17.jar; Installed version : 1.2.17

According to its self-reported version number; the installation of Apache Log4j on the remote host is 1.x and is no longer supported. Log4j reached its end of life prior to 2016. Additionally; Log4j 1.x is affected by multiple vulnerabilities; including :; ;   - Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether     the objects are allowed or not. This can provide an attack vector that can be exploited. (CVE-2019-17571); ;   - Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS     connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that     appender. (CVE-2020-9488); ;   - JMSSink uses JNDI in an unprotected manner allowing any application using the JMSSink to be vulnerable if it is     configured to reference an untrusted site or if the site referenced can be accesseed by the attacker.;     (CVE-2022-23302); ; Lack of support implies that no new security patches for the product will be released by the vendor. As a result; it is likely to contain security vulnerabilities.

Regards, Mohammed

[banzo]

Hello, thank you for the info!

Log4j should not be present anymore (see #257), what version of the chart (and Zookeeper) are you using?

[mraslam]

I was using an old version. it looks good after update. Thank you