Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Log4j2 CVE (CVE-2021-4104) JMSAppender for kafka and zookeeper

See original GitHub issue

Describe the bug We are using JMSAppender class within our configuration. We would like steps to mitigate the issue. More details here https://github.com/scholzj/strimzi.github.io/blob/37b4a1d059615b861b0d605320949e19e547be2d/_posts/2021-12-14-strimzi-and-log4shell.md#what-about-kafka

[kafka@strimzi-cluster-kafka-0 custom-config]$ cat log4j.properties 
# Do not change this generated file. Logging can be configured in the corresponding Kubernetes resource.
log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender
log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout
log4j.appender.CONSOLE.layout.ConversionPattern=%d{ISO8601} %p %m (%c) [%t]%n

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
scholzjcommented, Dec 15, 2021

The JMSAppender is part of the Log4j 1.2 JARs, that is correct. But it is not used by default. It would be used only if you would configure it yourself in the logging configuration which based on the output above you provided isn’t the case.

0reactions
zencirclecommented, Dec 15, 2021

o why are you trying to delete them

Thanks for pointing it out, it seems our scanner incorrectly flagging this JMSAppender CVE, JMSAppender uses same library Log4j 1.2

unzip -l log4j-1.2.17.jar  | grep JMSAppender.class
     8047  05-06-2012 13:00   org/apache/log4j/net/JMSAppender.class

Can you lets us know if JMSAppender.class is used for communication within any of strimzi components ?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Apache Kafka Security Vulnerabilities
This CVE identified a flaw where it allows the malicious unauthenticated clients to allocate large amounts of memory on brokers.
Read more >
Note on log4j Security - Debezium
On Dec 13th, a MODERATE vulnerability in log4j 1.x was published (CVE-2021-4104), affecting the JMSAppender class coming with log4j 1.x.
Read more >
Which version of Kafka are impacted due to Log4j CVE-2021 ...
CVE-2021-4104. Version 1.x of Log4J can be configured to use JMS Appender, which publishes log events to a JMS Topic.
Read more >
CVE-2021-4104 - SUSE
Product(s) Fixed package version(s) References SUSE Linux Enterprise Point of Sale 11 SP3 log4j >= 1.2.15‑26.32.17.1 Patchnames: slepo... SUSE Linux Enterprise Server 11 SP4‑LTSS log4j...
Read more >
Strimzi and Log4Shell (Log4j2 CVE-2021-44228)
The JMSAppender is not used by default. If you make sure that you do not use the JMSAppender in your Kafka or ZooKeeper...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Topic Operator failing to start with io.vertx.core.VertxException: Thread blocked

Next page

Add apiVersion, kind, and metadata to CRD schema