You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by mm...@apache.org on 2021/12/13 23:10:29 UTC
[pulsar] branch master updated: Provide guide on fixing log4j cve without upgrading the chart (#13274)
This is an automated email from the ASF dual-hosted git repository.
mmerli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new e04b3af Provide guide on fixing log4j cve without upgrading the chart (#13274)
e04b3af is described below
commit e04b3af3da47a1f5cbd2844f5ec8a33ac1adf525
Author: Sijie Guo <si...@apache.org>
AuthorDate: Mon Dec 13 15:09:19 2021 -0800
Provide guide on fixing log4j cve without upgrading the chart (#13274)
---
site2/website/blog/2021-12-11-Log4j-CVE.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/site2/website/blog/2021-12-11-Log4j-CVE.md b/site2/website/blog/2021-12-11-Log4j-CVE.md
index b345a68..91d6ec4 100644
--- a/site2/website/blog/2021-12-11-Log4j-CVE.md
+++ b/site2/website/blog/2021-12-11-Log4j-CVE.md
@@ -24,8 +24,8 @@ Additionally, when running Pulsar Functions with Kubernetes runtime, you should
your Docker images, following the example described [here](https://github.com/lhotari/pulsar-docker-images-patch-CVE-2021-44228).
If you are using the Pulsar Helm Chart for deploying in Kubernetes, a [new
-version of the chart](https://github.com/apache/pulsar-helm-chart/releases/tag/pulsar-2.7.6) is already available and it applies the above mentioned
-workaround.
+version of the chart](https://github.com/apache/pulsar-helm-chart/releases/tag/pulsar-2.7.6) is already available and it applies the above mentioned workaround.
+If upgrading is not an option, you may also mitigate by adding `-Dlog4j2.formatMsgNoLookups=true` to the `PUSLAR_EXTRA_OPTS` in the `configData` section for proxy, broker, bookkeeper, zookeeper, auto-recovery, and relative components in the helm values file.
We are already preparing new patch releases, 2.7.4, 2.8.2 and 2.9.1. These
releases will be ready in the next few days and will bundle the Log4j2 2.15.0,