snowplow / snowplow-elasticsearch-loader

Writes Snowplow enriched events from Kinesis to Elasticsearch
http://snowplowanalytics.com/
11 stars 19 forks source link

Bump log4j-core to 2.16.0 #211

Closed istreeter closed 2 years ago

istreeter commented 2 years ago

This is a cautionary measure in reaction to CVE-2021-44228. We have not yet found any reachable vulnerability in any Snowplow app. You can read more about Snowplow's response to this CVE on Discourse

greg-md commented 2 years ago

@istreeter I have an old, dockerized version of snowplow mini, which still use docker images from snowplow-docker-registry.bintray.io registry. I think everything was installed based on https://snowplowanalytics.com/blog/2017/10/13/snowplow-docker-images-released/

Seems like from 2017, the way how snowplow mini works has changed and there is no documentation on how to upgrade all the images and apply the breaking changes.

Do you think this vulnerability might work in older versions? Or we should be pretty safe to leave it as is? Because upgrading all that without documentation would be hard and might be not possible to take it to the end.

istreeter commented 2 years ago

Hi @greg-md, unfortunately we have not done a thorough assessment of old versions of Snowplow apps, e.g. the ones from 2017. For the latest versions, we basically figured out that we could not find any place in the code that was reachable by an external attack, and we figured this out by running simulations and scrutinizing the code. We bumped all library versions anyway because it's the sensible precaution, especially when handling customer data.

If it was me (and my customers' data) then I would want to bump the Snowplow apps to the latest versions.

I strongly recommend the guides and documentation on the Snowplow docs site to help with the upgrades. And if you have questions then there's a helpful community of people over on Discourse who would be happy to help you out.