Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump log4j to 2.15.0 #13226

Merged
merged 1 commit into from
Dec 10, 2021
Merged

Bump log4j to 2.15.0 #13226

merged 1 commit into from
Dec 10, 2021

Conversation

shoothzj
Copy link
Member

Modifications

Bump log4j to 2.15.0

Documentation

Check the box below and label this PR (if you have committer privilege).

Need to update docs?

  • no-need-doc

Only need to modify the license part

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Dec 10, 2021
@BewareMyPower
Copy link
Contributor

Should we add this PR to 2.8.2 since there is a security vulnerability for log4j < 2.15? @315157973

@merlimat
Copy link
Contributor

Should we add this PR to 2.8.2 since there is a security vulnerability for log4j < 2.15? @315157973

If there’s a security issue, we should also backport to 2.7

@massakam massakam added this to the 2.10.0 milestone Dec 10, 2021
@lhotari
Copy link
Member

lhotari commented Dec 10, 2021

Should we add this PR to 2.8.2 since there is a security vulnerability for log4j < 2.15? @315157973

@BewareMyPower which vulnerability is it? severity level?

@315157973
Copy link
Contributor

which vulnerability is it? severity level

Very serious

@massakam massakam merged commit 0015dab into apache:master Dec 10, 2021
@lhotari
Copy link
Member

lhotari commented Dec 10, 2021

which vulnerability is it? severity level

Very serious

@315157973 I don't see any vulnerability listed here: https://ossindex.sonatype.org/component/pkg:maven/org.apache.logging.log4j/log4j
Do you have the CVE id?

@shoothzj shoothzj deleted the log4j-2-15-0 branch December 10, 2021 06:09
@massakam
Copy link
Contributor

FYI
https://www.lunasec.io/docs/blog/log4j-zero-day/

@lhotari
Copy link
Member

lhotari commented Dec 10, 2021

@315157973 I'll cherry pick to branch-2.8 and branch-2.7 . Since the issue is extremely severe, I think we need to expedite 2.8.2 and 2.7.4 releases. /cc @michaeljmarshall

@imryao
Copy link
Contributor

imryao commented Dec 10, 2021

which vulnerability is it? severity level

Very serious

@315157973 I don't see any vulnerability listed here: https://ossindex.sonatype.org/component/pkg:maven/org.apache.logging.log4j/log4j Do you have the CVE id?

CVE-2021-44228
you can check it here
GHSA-jfh8-c2jp-5v3q

lhotari pushed a commit that referenced this pull request Dec 10, 2021
@shoothzj @lhotari
Bump log4j to 2.15.0 (#13226)
b136a73 
(cherry picked from commit 0015dab)
@lhotari lhotari added the cherry-picked/branch-2.8 Archived: 2.8 is end of life label Dec 10, 2021
lhotari pushed a commit that referenced this pull request Dec 10, 2021
@shoothzj @lhotari
Bump log4j to 2.15.0 (#13226)
dea0f43 
(cherry picked from commit 0015dab)
@lhotari lhotari added the cherry-picked/branch-2.7 Archived: 2.7 is end of life label Dec 10, 2021
lhotari pushed a commit that referenced this pull request Dec 10, 2021
@shoothzj @lhotari
Bump log4j to 2.15.0 (#13226)
6cdebb7 
(cherry picked from commit 0015dab)
nicoloboschi pushed a commit to datastax/pulsar that referenced this pull request Dec 10, 2021
@shoothzj @nicoloboschi
Bump log4j to 2.15.0 (apache#13226)
6bda122 
(cherry picked from commit 0015dab)
(cherry picked from commit dea0f43)
lhotari pushed a commit that referenced this pull request Dec 10, 2021
@shoothzj @lhotari
Bump log4j to 2.15.0 (#13226)
f7c6bdb 
(cherry picked from commit 0015dab)
@lhotari
Copy link
Member

lhotari commented Dec 10, 2021

I also cherry-picked to branch-2.6 . I think it would make sense to do a 2.6.5 release since CVE-2021-44228 is such a severe issue. @merlimat @eolivelli @massakam WDYT?

lhotari pushed a commit to datastax/pulsar that referenced this pull request Dec 10, 2021
@shoothzj @lhotari
Bump log4j to 2.15.0 (apache#13226)
0a21fcd 
(cherry picked from commit 0015dab)
(cherry picked from commit f7c6bdb)
nicoloboschi pushed a commit to datastax/pulsar that referenced this pull request Dec 10, 2021
@shoothzj @nicoloboschi
Bump log4j to 2.15.0 (apache#13226)
a4764ff 
(cherry picked from commit 0015dab)
(cherry picked from commit b136a73)
@lhotari
Copy link
Member

lhotari commented Dec 10, 2021

The workaround seems to be to set log4j2.formatMsgNoLookups to true.
reference: https://twitter.com/80vul/status/1468968891489857537

@lhotari
Copy link
Member

lhotari commented Dec 10, 2021
edited
Loading

I can confirm that JVM system property -Dlog4j2.formatMsgNoLookups=true prevents the issue. This workaround applies for Log4j >= 2.10.0 . I'm working on a Pulsar Helm Chart change that passes that automatically for all Pulsar processes.

@lhotari
Copy link
Member

lhotari commented Dec 10, 2021

CVE-2021-44228 is triggered if user provided input is passed to Logger's debug/info/warn/error method directly. It doesn't get triggered if user provided input is logged using {} placeholders. This reduces the likelyhood of the exploit quite a lot .

@lhotari
Copy link
Member

lhotari commented Dec 10, 2021

workaround in Pulsar Helm Chart by setting -Dlog4j2.formatMsgNoLookups=true : apache/pulsar-helm-chart#186

@nicoloboschi nicoloboschi mentioned this pull request Dec 10, 2021
Closed
2 tasks
@lhotari
Copy link
Member

lhotari commented Dec 10, 2021

CVE-2021-44228 is triggered if user provided input is passed to Logger's debug/info/warn/error method directly. It doesn't get triggered if user provided input is logged using {} placeholders. This reduces the likelyhood of the exploit quite a lot .

It seems that using {} placeholders isn't sufficient: https://twitter.com/CZ_JanecekPetr/status/1469220756580179972 . The only confirmed workaround is -Dlog4j2.formatMsgNoLookups=true .

liangyuanpeng
liangyuanpeng reviewed Dec 10, 2021
View reviewed changes
Copy link
Contributor

@liangyuanpeng liangyuanpeng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your work.

@YouJiacheng YouJiacheng mentioned this pull request Dec 10, 2021
Closed
nicoloboschi added a commit to datastax/pulsar that referenced this pull request Dec 10, 2021
@nicoloboschi
Revert "Bump log4j to 2.15.0 (apache#13226)"
460dd4b 
This reverts commit 6bda122.
nicoloboschi pushed a commit to datastax/pulsar that referenced this pull request Dec 10, 2021
@shoothzj @nicoloboschi
Bump log4j to 2.15.0 (apache#13226)
fb265d3 
(cherry picked from commit 0015dab)
fxbing pushed a commit to fxbing/pulsar that referenced this pull request Dec 19, 2021
@shoothzj
Bump log4j to 2.15.0 (apache#13226)
307720b
@aarondonwilliams aarondonwilliams mentioned this pull request Feb 12, 2022
Closed
bharanic-dev pushed a commit to bharanic-dev/pulsar that referenced this pull request Mar 18, 2022
@shoothzj
Bump log4j to 2.15.0 (apache#13226)
5541b32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liangyuanpeng liangyuanpeng liangyuanpeng left review comments

@merlimat merlimat merlimat approved these changes

@315157973 315157973 315157973 approved these changes

@BewareMyPower BewareMyPower BewareMyPower approved these changes

@massakam massakam massakam approved these changes

@eolivelli eolivelli Awaiting requested review from eolivelli

@lhotari lhotari Awaiting requested review from lhotari

@codelipenghui codelipenghui Awaiting requested review from codelipenghui

Assignees

@shoothzj shoothzj

Labels
area/security cherry-picked/branch-2.7 Archived: 2.7 is end of life cherry-picked/branch-2.8 Archived: 2.8 is end of life cherry-picked/branch-2.9 Archived: 2.9 is end of life doc-not-needed Your PR changes do not impact docs release/2.7.4 release/2.8.2 release/2.9.1
Projects
None yet
Milestone
2.10.0
Development

Successfully merging this pull request may close these issues.
8 participants
@shoothzj @BewareMyPower @merlimat @lhotari @315157973 @massakam @imryao @liangyuanpeng