The Helm chart got automatically released after merging the PR. https://pulsar.apache.org/charts/index.yaml shows the new chart version 2.7.6 which contains the fix.
The Helm chart will now add -Dlog4j2.formatMsgNoLookups=true to Java options. This doesn't apply to Pulsar Functions. For Pulsar Functions, you need to patch the docker images to get the fix (if not waiting for fixed releases). One possible solution for patching the docker images is provided in https://github.com/lhotari/pulsar-docker-images-patch-CVE-2021-44228 . I have patched apachepulsar/pulsar-all:2.8.1 and pushed it to lhotari/pulsar-all:2.8.1-log4j-patched as an example. Please test it and use it at your own risk. I hope this helps mitigating Log4Shell before today is over. -Lari On Fri, Dec 10, 2021 at 4:17 PM Lari Hotari <lhot...@apache.org> wrote: > I can confirm that Pulsar is exploitable with CVE-2021-44228 . > I'd like to propose releasing apache/pulsar-helm-chart after the > workaround for CVE-2021-44228, PR > https://github.com/apache/pulsar-helm-chart/pull/186 has been merged. > > Is it possible to expedite the decision about releasing this? I'm a > volunteer for making the release. > > BR, Lari > > > More details about CVE-2021-44228 in the email thread > https://lists.apache.org/thread/pf8wfzt09c2dv4z291httlgdwtc1495c . > > >
