As many of you might have already heard of this, there's a severe RCE 0-day exploit found in Log4J (2.0 <= Apache log4j <= 2.14.1). Blog post: https://www.lunasec.io/docs/blog/log4j-zero-day/ CVE-2021-44228 in GitHub Security Advisory: https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
This also affects all Pulsar versions after 2.0.0-incubating since a vulnerable Log4J version is used. I'm not aware of a confirmed exploit for Pulsar. The fix to Pulsar is to upgrade to Log4J 2.15.0 . The PR is https://github.com/apache/pulsar/pull/13226 . The fix will be release as part of Pulsar 2.8.2 , 2.7.4 and 2.9.1 . Before the fixed version is available, there's an immediate workaround to mitigate the security issue. I'd like to share mitigation instructions for this severe vulnerability: - Add -Dlog4j2.formatMsgNoLookups=true system property to the JVM arguments of all Pulsar processes. There are multiple ways to achieve this in Pulsar. It can be added to either OPTS, PULSAR_GC or PULSAR_MEM environment variables. - Upgrade to Pulsar 2.8.2 , 2.7.4 or 2.9.1 once they are available. There's a PR to handle the adding of -Dlog4j2.formatMsgNoLookups=true system property in the Apache Pulsar Helm chart, that is https://github.com/apache/pulsar-helm-chart/pull/186 . Until that is available, the recommended approach is to add "-Dlog4j2.formatMsgNoLookups=true" to OPTS, PULSAR_GC or PULSAR_MEM manually and ensure that the Java process picks up the system property. It's also necessary to check that the property doesn't have typos. The setting is case sensitive. Please patch your productions systems asap! BR, Lari Hotari
