Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Upgrade to Log4J 2.17.0 to mitigate CVE-2021-45105 #13392

Merged
merged 1 commit into from
Dec 18, 2021
Merged

[Security] Upgrade to Log4J 2.17.0 to mitigate CVE-2021-45105 #13392

merged 1 commit into from
Dec 18, 2021

Conversation

lhotari
Copy link
Member

@lhotari lhotari commented Dec 18, 2021
edited
Loading

Motivation

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.

  • default Pulsar configurations aren't impacted

Modifications

  • upgrade Log4J version from 2.16.0 to 2.17.0

Additional context

Analysis on the mailing list https://lists.apache.org/thread/0hn40hcmxo8nbbkgsyfgl6gb8lg74o5o

@lhotari lhotari added area/security doc-not-needed Your PR changes do not impact docs labels Dec 18, 2021
@lhotari lhotari self-assigned this Dec 18, 2021
michaeljmarshall
michaeljmarshall approved these changes Dec 18, 2021
View reviewed changes
Copy link
Member

@michaeljmarshall michaeljmarshall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

lhotari added a commit to datastax/pulsar that referenced this pull request Dec 18, 2021
@lhotari
[Security] Upgrade to Log4J 2.17.0 to mitigate CVE-2021-45105
5f8dd84 
- more details at https://logging.apache.org/log4j/2.x/security.html
- upstream PR apache#13392
lhotari added a commit to datastax/pulsar that referenced this pull request Dec 18, 2021
@lhotari
[Security] Upgrade to Log4J 2.17.0 to mitigate CVE-2021-45105
f4ed3be 
- more details at https://logging.apache.org/log4j/2.x/security.html
- upstream PR apache#13392
@lhotari lhotari merged commit 0fa626d into apache:master Dec 18, 2021
@lhotari lhotari added this to the 2.10.0 milestone Dec 18, 2021
lhotari added a commit that referenced this pull request Dec 18, 2021
@lhotari
[Security] Upgrade to Log4J 2.17.0 to mitigate CVE-2021-45105 (#13392)
7ea0473 
- more details at https://logging.apache.org/log4j/2.x/security.html

(cherry picked from commit 0fa626d)
lhotari added a commit that referenced this pull request Dec 18, 2021
@lhotari
[Security] Upgrade to Log4J 2.17.0 to mitigate CVE-2021-45105 (#13392)
4b9cadc 
- more details at https://logging.apache.org/log4j/2.x/security.html

(cherry picked from commit 0fa626d)
lhotari added a commit that referenced this pull request Dec 18, 2021
@lhotari
[Security] Upgrade to Log4J 2.17.0 to mitigate CVE-2021-45105 (#13392)
2774b46 
- more details at https://logging.apache.org/log4j/2.x/security.html

(cherry picked from commit 0fa626d)
@lhotari lhotari added cherry-picked/branch-2.7 Archived: 2.7 is end of life cherry-picked/branch-2.8 Archived: 2.8 is end of life cherry-picked/branch-2.9 Archived: 2.9 is end of life labels Dec 18, 2021
fxbing pushed a commit to fxbing/pulsar that referenced this pull request Dec 19, 2021
@lhotari
[Security] Upgrade to Log4J 2.17.0 to mitigate CVE-2021-45105 (apache…
640251e 
…#13392)

- more details at https://logging.apache.org/log4j/2.x/security.html
@mattisonchao mattisonchao mentioned this pull request Dec 20, 2021
Merged
1 task
@timmyyuan timmyyuan mentioned this pull request Dec 22, 2021
Closed
Technoboy- pushed a commit to Technoboy-/pulsar that referenced this pull request Dec 29, 2021
@lhotari @Technoboy-
[Security] Upgrade to Log4J 2.17.0 to mitigate CVE-2021-45105 (apache…
a9c53fe 
…#13392)

- more details at https://logging.apache.org/log4j/2.x/security.html
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shoothzj shoothzj shoothzj approved these changes

@RobertIndie RobertIndie RobertIndie approved these changes

@nicoloboschi nicoloboschi nicoloboschi approved these changes

@michaeljmarshall michaeljmarshall michaeljmarshall approved these changes

@merlimat merlimat Awaiting requested review from merlimat

@sijie sijie Awaiting requested review from sijie

@aahmed-se aahmed-se Awaiting requested review from aahmed-se

@eolivelli eolivelli Awaiting requested review from eolivelli

@315157973 315157973 Awaiting requested review from 315157973

@codelipenghui codelipenghui Awaiting requested review from codelipenghui

@massakam massakam Awaiting requested review from massakam

Assignees

@lhotari lhotari

Labels
area/security cherry-picked/branch-2.7 Archived: 2.7 is end of life cherry-picked/branch-2.8 Archived: 2.8 is end of life cherry-picked/branch-2.9 Archived: 2.9 is end of life doc-not-needed Your PR changes do not impact docs release/2.7.5 release/2.8.2 release/2.9.2
Projects
None yet
Milestone
2.10.0
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@lhotari @shoothzj @RobertIndie @nicoloboschi @michaeljmarshall @315157973