I'm sure you all saw the notifications, but I pushed a PR for this at https://github.com/apache/helix/pull/1922
I describe some of this in the PR, but the changes rippled out a little further than I thought, partly due to the Zookeeper dependency still bringing in vulnerable versions and partly due to a few places in code referencing Log4j 1.x APIs/packages/classes directly. My main concern, other than the magnitude of the change, is that I successfully ran all of the tests except helix-core. All of the helix-core tests succeeded up until the last 150 or so when I started getting out of memory errors, e.g.: [ERROR] Failures: [ERROR] TestConfigAccessor.testBasic:50 » OutOfMemory unable to create new native thre... [ERROR] TestConfigAccessor.testDeleteCloudConfig:329 » OutOfMemory unable to create ne... [ERROR] TestConfigAccessor.testSetRestConfig:219 » OutOfMemory unable to create new na... I can't tell if that's just my laptop or if it's a legitimate problem introduced by this change, so any independent verification (maybe the PR hooks already do this) would be greatly appreciated. I'm going to try to test this in one of our dev environments, but would it would be great if someone else could independently verify too. Thanks! ~Brent On Wed, Dec 15, 2021 at 11:01 AM Hunter Lee <naren...@gmail.com> wrote: > Thanks Brent. We'll keep an eye out for it. > > Hunter > > On Wed, Dec 15, 2021 at 12:42 AM Brent <brentwritesc...@gmail.com> wrote: > > > I filed this issue so we have something to track: > > https://github.com/apache/helix/issues/1921 > > > > I'm attempting to get Log4J 2.16.x building and running properly locally. > > I will submit a PR if I can get it working. > > > > Thanks! > > > > On Tue, Dec 14, 2021 at 8:40 AM Brent <brentwritesc...@gmail.com> wrote: > > > > > Thanks Hunter, much appreciated! I will try to put together a patch > with > > > what I've done for remediation elsewhere (good news is it's not much > > since > > > Helix still inherits Log4J 1.x). If you wouldn't mind, I might also > file > > > an issue to consider upgrading to Log4J 2.16.x that was just pushed > out ( > > > https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4). > That > > > one will require some more thought to make sure things don't break I > > > suspect. > > > > > > ~Brent > > > > > > On Mon, Dec 13, 2021 at 1:42 PM Hunter Lee <naren...@gmail.com> wrote: > > > > > >> This is being discussed. Feel free to post a patch if you're > interested > > >> (but do let us know so there's no duplicate effort being made here). > > >> > > >> On Fri, Dec 10, 2021 at 1:33 PM Brent <brentwritesc...@gmail.com> > > wrote: > > >> > > >> > [Feel free to take this offline or out-of-band if this is an > > >> inappropriate > > >> > place to discuss this] > > >> > > > >> > Is there any hotfixing planned as a result of the Log4J zero day > going > > >> > around? > > >> > > > >> > Reference: https://www.lunasec.io/docs/blog/log4j-zero-day/ > > >> > CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 > > >> > > > >> > From what I can tell, Helix seems to be building with > > >> > https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12/1.7.14 > > >> which in > > >> > turn maps to https://mvnrepository.com/artifact/log4j/log4j/1.2.17 > > >> > > > >> > The exploit is more prevalent in the 2.x versions of Log4J, but > there > > >> are > > >> > scenarios where 1.x is exploitable and it's been pointed out that > 1.x > > is > > >> > also end of life and has other vulnerabilities. > > >> > > > >> > See: > > >> > > > >> > > https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 > > >> > > > >> > Thanks! > > >> > > > >> > ~Brent > > >> > > > >> > > > > > >
