[GitHub] [pulsar-helm-chart] lhotari opened a new pull request #186: [Security] Workaround for CVE-2021-44228 Log4J RCE when Log4J >= 2.10.0

GitBox Fri, 10 Dec 2021 00:12:22 -0800


lhotari opened a new pull request #186:
URL: https://github.com/apache/pulsar-helm-chart/pull/186



   ### Motivation
   
   CVE-2021-44228 , a severe RCE for Log4J.
   
   The workaround is to set `-Dlog4j2.formatMsgNoLookups=true` system property.
   CVE-2021-44228 is triggered if user provided input is passed to Logger's 
debug/info/warn/error method directly. It doesn't get triggered if user 
provided input is logged using {} placeholders. This reduces the likelyhood of 
the exploit quite a lot. 
   
   ### Modifications
   
   Add `OPTS="${OPTS} -Dlog4j2.formatMsgNoLookups=true"` prefix to calls to 
`exec bin/pulsar` and `exec bin/bookkeeper` . This results in 
`-Dlog4j2.formatMsgNoLookups=true` system property getting set.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [pulsar-helm-chart] lhotari opened a new pull request #186: [Security] Workaround for CVE-2021-44228 Log4J RCE when Log4J >= 2.10.0

Reply via email to