Log4J version (1.x) used by Apache Zookeeper exposes users to the following CVE-s:
Critical -
CVE-2019-17571
CVE-2022-23305
CVE-2022-23307
High -
CVE-2022-23302
CVE-2021-4104
Low -
CVE-2020-9488
When (on which release) will Zookeeper be upgraded to the latest Log4J release?
is there a workaround?
Thanks.
Related
I want to upgrade the Pulsar brokers in a pulsar cluster (from 2.6.3 to 2.10.1)
The question is could I just upgrade the brokers to 2.10.1 (and leave other components (Bookkeeper as well ZooKeeper) in 2.6.3)
(Asking this because according to this https://pulsar.apache.org/docs/administration-upgrade, I am not sure if I also need to upgrade BookKeeper or not)
Thank you !
2.6.3 contains a very old version of ZooKeeper (3.5.x) and from Pulsar 2.8.x onwards we require ZooKeeper 3.6.x because Pulsar uses the Persistent Recursive Watches feature.
I suggest to upgrade ZooKeeper and BookKeeper as well, at least to Pulsar 2.8.x.
As a general rule of thumb in Pulsar is that we support rolling upgrades from one major version to the next (so from 2.6 to 2.7...).
Jumping from 2.6 to 2.10 is not supported officially, but it should work.
Which versions of Kafka are impacted by CVE-2021-44228?
Nothing is yet updated on Apache Kafka Security Vulnerabilities about this vulnerability.
Update 2021-12-15
APACHE KAFKA SECURITY VULNERABILITIES has confirmed:
CVE-2021-45046
Users should NOT be impacted by this vulnerability
CVE-2021-44228
Users should NOT be impacted by this vulnerability
CVE-2021-4104
Version 1.x of Log4J can be configured to use JMS Appender, which publishes log events to a JMS Topic. Log4j 1.x is vulnerable if the deployed application is configured to use JMSAppender.
So please check the site for details.
Update 2021-12-13
As suggested by bovine, log4j1.x may also be affected to this vulnerability.
strictly speaking, applications using Log4j 1.x may be impacted if their configuration uses JNDI. However, the risk is much lower.
please refer to this link for latest status.
Evidence for not using log4j2
By checking dependencies.gradle of Kafka:
1.0.0 and 3.0.0
both are using 1.2.17.
As the issue is affecting version from 2.0-beta9 to 2.14.1, Kafka is not affected by this security vulnerabilities.
Good day, does anyone find information about log4j involving Hazelcast 3.11?
In the official website doesn't show anything about the log4j vulnerability.
The vulnerability is addressed in Log4j2.15.0. Hazelcast team is currently working to release fixes to add this for the versions listed above. UPDATE on December 15, 2021: IMDG 4.0.4, 4.1.7 and 4.2.3 have been released. Remaining release of Hazelcast 5.0.1 and Hazelcast Jet 4.5.2 is being worked on.
Users that explicitly use a vulnerable Log4j2 library are advised to upgrade to Log4j2.15.0 as soon as possible.
For more: Security Advisory for "Log4Shell" CVE-2021-44228 and CVE-2021-45046
We are using apache Cassandra 3.11.7 running on native kubernetes cluster. Is it vulnerable to the log4j security exception?
Here you find a list of affected software. Cassandra is not in the list. https://github.com/cisagov/log4j-affected-db
Is the spring-data-cassandra version 1.4.2 compatible with cassandra version 3.7? I get the following error when I try to connect:
Error creating bean with name 'cassandraSession': Invocation of init method failed;
nested exception is java.lang.NoClassDefFoundError:
io/netty/util/concurrent/EventExecutor
No, Spring Data Cassandra 1.4.x is based on the 2.x DataStax's Cassandra driver.
However, in Spring Data Cassandra 1.5 (Ingalls) release series (currently at 1.5 M1), we have upgraded the DataStax Cassandra driver to 3.0.3. We have also removed support for the DataStax DSE (DataStax Enterprise) driver since it is unnecessary for SD Cassandra functionality.
There were significant changes in the 3.0 version of DataStax's Java driver API requiring us to introduce 3.0 support in 1.5. We would not be able to back port these changes without adversely affecting 1.4 users.
You can find out more by reading our SD Ingalls M1 release announcement.
Also, you can follow the development of SD Cassandra 1.5 on the Wiki.
Feedback is always welcomed, either with PRs or through JIRA.