amuraru
commented
2 years ago Based on our analysis Zookeeper is using log4j 1.x which is not impacted by Log4Shell CVE. Log4j 1.x is EOLed for a while amd has several other CVEs but not log4shell
Open plumdog opened 2 years ago
amuraru
commented
2 years ago Based on our analysis Zookeeper is using log4j 1.x which is not impacted by Log4Shell CVE. Log4j 1.x is EOLed for a while amd has several other CVEs but not log4shell
Description
CVE-2021-44228, aka Log4Shell allows remote code execution in affected versions of log4j. As yet there is no announcement on https://zookeeper.apache.org/security.html, but I'm assuming Zookeeper is impacted until I find something to convince me otherwise.
For Solr, rather than patching, there's a mitigation, see https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 by setting
SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true". I am hopeful that there is something similar for Zookeeper, and that zookeeper-operator will allow me to set such a config item.Importance
Security critical, assuming Zookeeper is impacted.
Location
The vulnerability would be in Zookeeper itself, but the ability to set configuration for the mitigation would be applied by zookeeper-operator.
Suggestions for an improvement
First need to understand whether such a mitigation is available for Zookeeper, so I think we're just waiting for an update to https://zookeeper.apache.org/security.html, unless someone better acquainted with Zookeeper can work out/find what this might be. Then, if so, zookeeper-operator would need to be able to set it, and ultimately should set it by default. Also, could be a "global" setting passed to the operator, eg "for every zookeeper I create, set the mitigation option" or per Zookeeper, so set in the CRD somewhere.
Possibly related to: https://github.com/pravega/zookeeper-operator/issues/252