[GitHub] [pulsar] lhotari commented on a change in pull request #13242: [Blog] Added Log4j CVE blog post

[GitBox <gi...@apache.org>]

lhotari commented on a change in pull request #13242:
URL: https://github.com/apache/pulsar/pull/13242#discussion_r767173549



##########
File path: site2/website/blog/2021-12-11-Log4j-CVE.md
##########
@@ -0,0 +1,29 @@
+---
+author: Matteo Merli
+title: Log4j2 Zero Day vulnerability (CVE-2021-44228)
+---
+
+Yesterday, a new serious vulnerability was reported regarding Log4j that can
+allow remote execution for attackers.
+
+The vulnerability issue is described and tracked under [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228).
+
+Current releases of Apache Pulsar are bundling Log4j2 versions that are
+affected by this vulnerability and while we're not aware of any specific
+exploit for Pulsar, we strongly recommend to follow the advisory of the
+Apache Log4j community and patch your systems as soon as possible.
+
+There are 2 workarounds to patch a Pulsar deployments. You can set either of:
+
+ 1. Java property: `-Dlog4j2.formatMsgNoLookups=true`
+ 2. Environment variable: `LOG4J_FORMAT_MSG_NO_LOOKUPS=true`
+
+Both approaches are effective in mitigating the vulnerability.

Review comment:
       This mitigation doesn't cover Pulsar Functions deployed using k8s runtime. One solution is to patch a docker image with the instructions provided in https://github.com/lhotari/pulsar-docker-images-patch-CVE-2021-44228.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org