Dear Pulsar community members, There's yet another new CVE, CVE-2021-45105 in Log4j < 2.17.0 details: https://logging.apache.org/log4j/2.x/security.html
Summary: Pulsar isn't impacted with CVE-2021-45105 when the default log4j configuration provided with Pulsar is used. However, remember that Pulsar is impacted by the actual Log4Shell CVE and Pulsar users should patch immediately. Patching instructions in the blog post https://pulsar.apache.org/blog/2021/12/11/Log4j-CVE/ . Fixed versions 2.7.4, 2.8.2 and 2.9.1 will be available asap, but it's not recommended waiting for a fixed version before acting since patching could be done immediately. If you are concerned about the newest Log4J CVE, you can patch previous Docker images to upgrade to Log4j 2.17.0 with the solution in https://github.com/lhotari/pulsar-docker-images-patch-CVE-2021-44228 . That could be used to address both CVEs for old Pulsar releases. If you are running old Pulsar versions, please note that Pulsar <2.6.4 or 2.7.0 contain a severe Pulsar specific CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22160 . There's a pull request to upgrade Log4J to 2.17.0 in apache/pulsar: https://github.com/apache/pulsar/pull/13392 Detailed analysis of impact of CVE-2021-45105 to Pulsar: Description of CVE-2021-45105, https://logging.apache.org/log4j/2.x/security.html > Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from > uncontrolled recursion from self-referential lookups. When the logging > configuration uses a non-default Pattern Layout with a Context Lookup (for > example, $${ctx:loginId}), attackers with control over Thread Context Map > (MDC) input data can craft malicious input data that contains a recursive > lookup, resulting in a StackOverflowError that will terminate the process. > This is also known as a DOS (Denial of Service) attack. > In Pulsar Log4J configuration (conf/log4j2.yaml), context lookup or thread context map patterns are: $${ctx:function} , $${ctx:instance} and %X{instance} . These are only used in Pulsar when running Functions in Thread runtime. The user could impact the function name, but ${ are not valid characters for any names in Pulsar. Therefore, Pulsar isn't impacted with CVE-2021-45105 when the default log4j configuration is used. Source code references: default Log4j configuration: https://github.com/apache/pulsar/blob/master/conf/log4j2.yaml This is where the thread context map is set in Pulsar Function instances: https://github.com/apache/pulsar/blob/7bf14b5ac049d71c7ff74bbe758cb41aaffeb0af/pulsar-functions/instance/src/main/java/org/apache/pulsar/functions/instance/JavaInstanceRunnable.java#L179-L182 Pulsar name validation pattern: https://github.com/apache/pulsar/blob/7bf14b5ac049d71c7ff74bbe758cb41aaffeb0af/pulsar-common/src/main/java/org/apache/pulsar/common/naming/NamedEntity.java#L31-L34 Regards, Lari Hotari
