You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by mm...@apache.org on 2021/12/13 23:10:29 UTC

[pulsar] branch master updated: Provide guide on fixing log4j cve without upgrading the chart (#13274)

This is an automated email from the ASF dual-hosted git repository.

mmerli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/master by this push:
     new e04b3af  Provide guide on fixing log4j cve without upgrading the chart (#13274)
e04b3af is described below

commit e04b3af3da47a1f5cbd2844f5ec8a33ac1adf525
Author: Sijie Guo <si...@apache.org>
AuthorDate: Mon Dec 13 15:09:19 2021 -0800

    Provide guide on fixing log4j cve without upgrading the chart (#13274)
---
 site2/website/blog/2021-12-11-Log4j-CVE.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/site2/website/blog/2021-12-11-Log4j-CVE.md b/site2/website/blog/2021-12-11-Log4j-CVE.md
index b345a68..91d6ec4 100644
--- a/site2/website/blog/2021-12-11-Log4j-CVE.md
+++ b/site2/website/blog/2021-12-11-Log4j-CVE.md
@@ -24,8 +24,8 @@ Additionally, when running Pulsar Functions with Kubernetes runtime, you should
 your Docker images, following the example described [here](https://github.com/lhotari/pulsar-docker-images-patch-CVE-2021-44228).
 
 If you are using the Pulsar Helm Chart for deploying in Kubernetes, a [new
-version of the chart](https://github.com/apache/pulsar-helm-chart/releases/tag/pulsar-2.7.6) is already available and it applies the above mentioned
-workaround.
+version of the chart](https://github.com/apache/pulsar-helm-chart/releases/tag/pulsar-2.7.6) is already available and it applies the above mentioned workaround.
+If upgrading is not an option, you may also mitigate by adding `-Dlog4j2.formatMsgNoLookups=true` to the `PUSLAR_EXTRA_OPTS` in the `configData` section for proxy, broker, bookkeeper, zookeeper, auto-recovery, and relative components in the helm values file.
 
 We are already preparing new patch releases, 2.7.4, 2.8.2 and 2.9.1. These
 releases will be ready in the next few days and will bundle the Log4j2 2.15.0,