You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@nifi.apache.org by "Gregory M. Foreman" <gf...@spinnerconsulting.com> on 2022/05/02 14:56:23 UTC

zookeeper 3.5.9 / CVE-2021-44228

Hello:

Nifi 1.16.1 included upgrading to zookeeper 3.5.9, which uses log4j 1.2.17 (NIFI-9955).  My client currently has an external zookeeper 3.5.8 deployed, it uses log4j 1.2.17, and it has been flagged to upgrade due to the log4j CVE.  I originally thought that log4j 1.x versions were not affected, but I may have over-simplified the logic.  Ref: https://www.petefreitag.com/item/926.cfm <https://www.petefreitag.com/item/926.cfm> (no affiliation).  It appears that zookeeper 3.5.9 is going to EOL in June 2022.  Are there plans to upgrade to zookeeper 3.7.0 or later?

Thanks,
Greg

Re: zookeeper 3.5.9 / CVE-2021-44228

Posted by "Gregory M. Foreman" <gf...@spinnerconsulting.com>.

Shawn:

Thank you, we are going to migrate over to 3.8.0.

David:

Thank you for the detailed explanations.

Greg

> On May 2, 2022, at 11:18 AM, David Handermann <ex...@apache.org> wrote:
> 
> Greg,
> 
> NiFi 1.15.0 included build configuration updates that excluded all references to Log4j 1 libraries as described in the following Jira issue:
> 
> https://issues.apache.org/jira/browse/NIFI-9283 <https://issues.apache.org/jira/browse/NIFI-9283>
> 
> Although previous versions of NiFi included Log4j 1 libraries, NiFi also leveraged hierarchical class-loading and the Log4j to SLF4J bridge library to route runtime Log4j 1 requests to SLF4J and Logback.  The following post covers the details of logging library management in NiFi:
> 
> https://exceptionfactory.com/posts/2021/12/29/managing-logging-libraries-in-apache-nifi/ <https://exceptionfactory.com/posts/2021/12/29/managing-logging-libraries-in-apache-nifi/>
> 
> With that background, there should be no concerns related to Log4j 1 and recent versions of NiFi.
> 
> As far as ZooKeeper itself, upgrading the client library version is something that will be addressed as part of regular dependency upgrade reviews.
> 
> Regards,
> David Handermann
> 
> On Mon, May 2, 2022 at 9:56 AM Gregory M. Foreman <gforeman@spinnerconsulting.com <ma...@spinnerconsulting.com>> wrote:
> Hello:
> 
> Nifi 1.16.1 included upgrading to zookeeper 3.5.9, which uses log4j 1.2.17 (NIFI-9955).  My client currently has an external zookeeper 3.5.8 deployed, it uses log4j 1.2.17, and it has been flagged to upgrade due to the log4j CVE.  I originally thought that log4j 1.x versions were not affected, but I may have over-simplified the logic.  Ref: https://www.petefreitag.com/item/926.cfm <https://www.petefreitag.com/item/926.cfm> (no affiliation).  It appears that zookeeper 3.5.9 is going to EOL in June 2022.  Are there plans to upgrade to zookeeper 3.7.0 or later?
> 
> Thanks,
> Greg
> 
>

Re: zookeeper 3.5.9 / CVE-2021-44228

Posted by David Handermann <ex...@apache.org>.

Greg,

NiFi 1.15.0 included build configuration updates that excluded all
references to Log4j 1 libraries as described in the following Jira issue:

https://issues.apache.org/jira/browse/NIFI-9283

Although previous versions of NiFi included Log4j 1 libraries, NiFi also
leveraged hierarchical class-loading and the Log4j to SLF4J bridge library
to route runtime Log4j 1 requests to SLF4J and Logback.  The following post
covers the details of logging library management in NiFi:

https://exceptionfactory.com/posts/2021/12/29/managing-logging-libraries-in-apache-nifi/

With that background, there should be no concerns related to Log4j 1 and
recent versions of NiFi.

As far as ZooKeeper itself, upgrading the client library version is
something that will be addressed as part of regular dependency upgrade
reviews.

Regards,
David Handermann

On Mon, May 2, 2022 at 9:56 AM Gregory M. Foreman <
gforeman@spinnerconsulting.com> wrote:

> Hello:
>
> Nifi 1.16.1 included upgrading to zookeeper 3.5.9, which uses log4j 1.2.17
> (NIFI-9955).  My client currently has an external zookeeper 3.5.8 deployed,
> it uses log4j 1.2.17, and it has been flagged to upgrade due to the log4j
> CVE.  I originally thought that log4j 1.x versions were not affected, but I
> may have over-simplified the logic.  Ref:
> https://www.petefreitag.com/item/926.cfm (no affiliation).  It appears
> that zookeeper 3.5.9 is going to EOL in June 2022.  Are there plans to
> upgrade to zookeeper 3.7.0 or later?
>
> Thanks,
> Greg
>
>
>

Re: zookeeper 3.5.9 / CVE-2021-44228

Posted by Shawn Weeks <sw...@weeksconsulting.us>.

I’m running external Zookeeper 3.8.0 with NiFi 1.15 without issue because of the log4j findings and it installed over 3.6.3 just fine so in theory it should work.

Thanks
Shawn

On May 2, 2022, at 9:56 AM, Gregory M. Foreman <gf...@spinnerconsulting.com>> wrote:

Hello:

Nifi 1.16.1 included upgrading to zookeeper 3.5.9, which uses log4j 1.2.17 (NIFI-9955).  My client currently has an external zookeeper 3.5.8 deployed, it uses log4j 1.2.17, and it has been flagged to upgrade due to the log4j CVE.  I originally thought that log4j 1.x versions were not affected, but I may have over-simplified the logic.  Ref: https://www.petefreitag.com/item/926.cfm (no affiliation).  It appears that zookeeper 3.5.9 is going to EOL in June 2022.  Are there plans to upgrade to zookeeper 3.7.0 or later?

Thanks,
Greg