-
Notifications
You must be signed in to change notification settings - Fork 504
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Assess Linkerd 1.x vulnerability to CVE-2021-44228 #2438
Comments
Are you sure that this is only related to the UI? Wouldn't Linkerd's proxy interfaces be an attack vector? |
Also, are we sure that Netty is the only dependency that pulls in log4j? Does zookeeper use it, for instance? |
Not 100% sure, but will dig into it
Also need to research this and upgrade the appropriate libraries |
Hello @cpretzer - Which versions of linkerd would use this dependency? It looks very much that the Is there any possibility this version will be updated? |
The log4j dependency of netty is optional so Linkerd doesn't actually pull in log4j through netty at all. The only place we pull in log4j is through zookeeper and the version zk depends on is 1.2.17 which is too old to be vulnerable to log4shell. log4j 1.2.17 is theoretically vulnerable to some different older RCE, but zk doesn't use that particular feature: see https://issues.apache.org/jira/browse/ZOOKEEPER-4423 I don't think any action is needed here |
thank you for the quick analysis on this @adleong ! If no action is necessary, I'll close this and we can reopen, if necessary |
Just a quick note about the log4j.properties file linked to by @kadeatfox above: Netty uses slf4j, which allows you to swap out logging implementations. That file is there for people who provide log4j as their logging implementation. |
I'll also capture the investigation done by Jorge Vargas in #linkerd1 on the Linkerd community Slack, before Slack swallows the conversation forever:
To summarize, as best we can tell, Linkerd 1.x is not vulnerable to CVE-2021-44228. |
Netty has released version 4.1.72 to address a vulnerability in log4j.
At the moment, I believe this is a low-risk vulnerability for Linkerd, based on following best practices which ensure that the viz UIs are available only to internal users who are authorized to access the network where Linkerd is running. Organizations with publicly exposed viz UI dashboards should take steps to secure those interfaces.
The text was updated successfully, but these errors were encountered: