-
Notifications
You must be signed in to change notification settings - Fork 504
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request upgrade of all log4j 1.x to at least log4j 2.17.1, or patch vulnerabilities #2440
Comments
Thanks @DrCapt . We're taking a look. |
@DrCapt do you currently use Linkerd's Zookeeper integration? |
@wmorgan hi sorry for late response. No, we do not use Linkerd's Zookeeper integration. I will check with security to see if they can ignore the log4j dependency from Zookeeper, since we don't use it. Also, from what I understand fromt this comment, log4j is not pulled in from the Netty dependency, can you confirm? |
@DrCapt That's correct. Linkerd does not pull in log4j from its Netty dependency. The Zookeeper component is the only part of Linkerd that has a log4j dependency (of a bad version). We can publish a new release of Linkerd that simply removes that component, but if you're not using it then you don't necessarily have to upgrade. |
@wmorgan unfortunately, due to the politics surrounding our security, we need a version of Linkerd 1 that removes the Zookeeper component. |
@DrCapt Ok, stay tuned! |
@DrCapt We've just shipped Linkerd 1.7.5 which contains a version of Linkerd without Zookeeper. Please let us know if you run into any issues. |
Thanks for your help improving the project!
Getting Help
Github issues are for bug reports and feature requests. For questions about
Linkerd, how to use it, or debugging assistance, start by
asking a question in the forums or join us on
Slack.
Full details at CONTRIBUTING.md.
Filing a Linkerd issue
Issue Type:
What happened:
Linkerd 1 currently uses log4j 1.x through its Netty and Zookeeper dependencies according to #2438 (comment)
Even though log4j 1.x is not vulnerable to CVE-2021-44228, it is still end of life and has a number of other vulnerabilities which our security scanner is picking up.
What you expected to happen:
We request that Linkerd 1 be upgraded so that either only log4j 2.17.1 (or higher) is used, or the vulnerabilities in log4j 1.x are patched, in order to fulfill our security requirements.
We are a paying customer of Bouyant.
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Environment:
We are using Linkerd 1.7.3.
The text was updated successfully, but these errors were encountered: