Comments (8)
I believe this is a low-risk vulnerability for Linkerd, based on following best practices which ensure that the viz UIs are available only to internal users
Are you sure that this is only related to the UI? Wouldn't Linkerd's proxy interfaces be an attack vector?
from linkerd.
Also, are we sure that Netty is the only dependency that pulls in log4j? Does zookeeper use it, for instance?
from linkerd.
Are you sure that this is only related to the UI? Wouldn't Linkerd's proxy interfaces be an attack vector?
Not 100% sure, but will dig into it
Also, are we sure that Netty is the only dependency that pulls in log4j? Does zookeeper use it, for instance?
Also need to research this and upgrade the appropriate libraries
from linkerd.
Hello @cpretzer - Which versions of linkerd would use this dependency?
It looks very much that the 1.7.4
version does in fact have this issue: https://github.com/linkerd/linkerd/tree/1.7.4/linkerd/main/src/main/resources
Is there any possibility this version will be updated?
from linkerd.
The log4j dependency of netty is optional so Linkerd doesn't actually pull in log4j through netty at all.
The only place we pull in log4j is through zookeeper and the version zk depends on is 1.2.17 which is too old to be vulnerable to log4shell. log4j 1.2.17 is theoretically vulnerable to some different older RCE, but zk doesn't use that particular feature: see https://issues.apache.org/jira/browse/ZOOKEEPER-4423
I don't think any action is needed here
from linkerd.
thank you for the quick analysis on this @adleong !
If no action is necessary, I'll close this and we can reopen, if necessary
from linkerd.
Just a quick note about the log4j.properties file linked to by @kadeatfox above: Netty uses slf4j, which allows you to swap out logging implementations. That file is there for people who provide log4j as their logging implementation.
from linkerd.
I'll also capture the investigation done by Jorge Vargas in #linkerd1 on the Linkerd community Slack, before Slack swallows the conversation forever:
Hello, sharing what I've found regarding log4j vuln in Linkerd. I cloned the linkerd/linkerd repo and checked out the 1.6.3 tag which is the version we're using, then I added a dependency tree plugin to sbt plugins file and after executing it I only see log4j 1.2.16 and 1.2.17, I'll do the same with tag 1.7.4
I also started looking into netty and if I'm not mistaken log4j was updated to v2 on version 4.1.65.final netty/netty#11264
on linkerd 1.6.3 I see netty 4.1.31.final
on linkerd 1.7.4 I see netty 4.1.47.final and log4j 1.2.16 and 1.2.17
from these dependencies it seems like linkerd 1 is safe, but log4j 1 has other vulnerabilities, although not as critical as log4shell
To summarize, as best we can tell, Linkerd 1.x is not vulnerable to CVE-2021-44228.
from linkerd.
Related Issues (20)
- GC log is rotated too often on Java >= 9
- Failure detector closes connection if linkerd receives data faster than it can write HOT 7
- Linkerd doesn't work with .NET Core Grpc Service HOT 5
- pull-destination-proto.sh should use a pinned version
- linkerd tap tls error HOT 2
- Linkerd sporadically stops watching remote addresses in Namerd with thrift interpreter HOT 3
- Future of Linkerd 1.x HOT 3
- Name resolution for endpoints with io.l5d.fs namer HOT 1
- Services and opaque ports HOT 1
- Require image for ARM64 architecture HOT 1
- Does Linkerd implement SPIFFE ID? HOT 1
- Feature: DNS filtering HOT 3
- Mitigating log4j vulnerability in linkerd1 HOT 1
- Request upgrade of all log4j 1.x to at least log4j 2.17.1, or patch vulnerabilities HOT 7
- We are running Namerd & Consul cluster in our environment ,getting below error frequently and that break application communication
- serverSession: idleTimeMs times out while there is activity
- Drop capabilities HOT 1
- Namerd version admin port HOT 2
- ZooKeeper server set namer `io.l5d.serversets` appears to leak ZooKeeper watches HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from linkerd.