(I joined in the discussion on the ZK list, thanks Patrick, though I know
that comment is targeted more at the core Helix team than myself)

I had a mis-step last week in determining which set of logging dependencies
to use, but I think the PR is up-to-date and correct now:
https://github.com/apache/helix/pull/1922

All the tests ran successfully and all my spot testing of command line
tools like the agent and controller seem to be behaving properly.
Obviously any independent verification other folks are able to do would be
super helpful.

Assuming this all looks good and gets merged, will it be feasible to cut a
new 1.0.3 release or at least make a new tag in GitHub?  This is almost
more of a "hotfix" type situation, so I'm not sure how you all normally
handle that sort of thing.  From my standpoint, I think it'd be really
useful if there were a way for Helix customers to easily get their hands on
a mitigated version.  I know I personally am having to custom patch this in
my environment currently, so being able to use an "official" release would
make my life way easier.

On a side note, a Log4j 2.17.0 was just released, so we may also want to
consider updating the PR from 2.16.0 too, which should be pretty easy.

Thanks for your time and help!

~Brent

On Thu, Dec 16, 2021 at 3:53 PM Patrick Hunt <ph...@apache.org> wrote:

> The ZK community has been discussing where to go wrt log4j/... -- as a
> "customer" if you have any insights it would be good for you to weigh in.
> Perhaps help out with testing early rcs and any downstream impact.
>
> Regards,
>
> Patrick
>
> On Thu, Dec 16, 2021 at 2:24 PM Hunter Lee <naren...@gmail.com> wrote:
>
> > Thanks Brent for a quick turnaround.
> >
> > With Helix we find that laptops aren't usually powerful enough to run
> > tests. But around last year we started looking at GitHub CI for testing
> > results for testing consistency.
> >
> > Seems that the test is still running, so let's wait this out and see what
> > we get.
> >
> > Hunter
> >
> > On Thu, Dec 16, 2021 at 5:17 PM Junkai Xue <j...@apache.org> wrote:
> >
> > > Thanks Brent! Right, I was commenting on your PR with that. Maybe we
> need
> > > to run the patch you provided to double verify it before merging.
> > > Anyway, thanks for contributing to this!
> > >
> > > Best,
> > >
> > > Junkai
> > >
> > > On Thu, Dec 16, 2021 at 2:11 PM Brent <brentwritesc...@gmail.com>
> wrote:
> > >
> > > > I'm sure you all saw the notifications, but I pushed a PR for this at
> > > > https://github.com/apache/helix/pull/1922
> > > >
> > > > I describe some of this in the PR, but the changes rippled out a
> little
> > > > further than I thought, partly due to the Zookeeper dependency still
> > > > bringing in vulnerable versions and partly due to a few places in
> code
> > > > referencing Log4j 1.x APIs/packages/classes directly.
> > > >
> > > > My main concern, other than the magnitude of the change, is that I
> > > > successfully ran all of the tests except helix-core.  All of the
> > > helix-core
> > > > tests succeeded up until the last 150 or so when I started getting
> out
> > of
> > > > memory errors, e.g.:
> > > > [ERROR] Failures:
> > > > [ERROR]   TestConfigAccessor.testBasic:50 » OutOfMemory unable to
> > create
> > > > new native thre...
> > > > [ERROR]   TestConfigAccessor.testDeleteCloudConfig:329 » OutOfMemory
> > > unable
> > > > to create ne...
> > > > [ERROR]   TestConfigAccessor.testSetRestConfig:219 » OutOfMemory
> unable
> > > to
> > > > create new na...
> > > >
> > > > I can't tell if that's just my laptop or if it's a legitimate problem
> > > > introduced by this change, so any independent verification (maybe the
> > PR
> > > > hooks already do this) would be greatly appreciated.  I'm going to
> try
> > to
> > > > test this in one of our dev environments, but would it would be great
> > if
> > > > someone else could independently verify too.
> > > >
> > > > Thanks!
> > > >
> > > > ~Brent
> > > >
> > > > On Wed, Dec 15, 2021 at 11:01 AM Hunter Lee <naren...@gmail.com>
> > wrote:
> > > >
> > > > > Thanks Brent. We'll keep an eye out for it.
> > > > >
> > > > > Hunter
> > > > >
> > > > > On Wed, Dec 15, 2021 at 12:42 AM Brent <brentwritesc...@gmail.com>
> > > > wrote:
> > > > >
> > > > > > I filed this issue so we have something to track:
> > > > > > https://github.com/apache/helix/issues/1921
> > > > > >
> > > > > > I'm attempting to get Log4J 2.16.x building and running properly
> > > > locally.
> > > > > > I will submit a PR if I can get it working.
> > > > > >
> > > > > > Thanks!
> > > > > >
> > > > > > On Tue, Dec 14, 2021 at 8:40 AM Brent <brentwritesc...@gmail.com
> >
> > > > wrote:
> > > > > >
> > > > > > > Thanks Hunter, much appreciated!  I will try to put together a
> > > patch
> > > > > with
> > > > > > > what I've done for remediation elsewhere (good news is it's not
> > > much
> > > > > > since
> > > > > > > Helix still inherits Log4J 1.x).  If you wouldn't mind, I might
> > > also
> > > > > file
> > > > > > > an issue to consider upgrading to Log4J 2.16.x that was just
> > pushed
> > > > > out (
> > > > > > >
> https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
> > ).
> > > > > That
> > > > > > > one will require some more thought to make sure things don't
> > break
> > > I
> > > > > > > suspect.
> > > > > > >
> > > > > > > ~Brent
> > > > > > >
> > > > > > > On Mon, Dec 13, 2021 at 1:42 PM Hunter Lee <naren...@gmail.com
> >
> > > > wrote:
> > > > > > >
> > > > > > >> This is being discussed. Feel free to post a patch if you're
> > > > > interested
> > > > > > >> (but do let us know so there's no duplicate effort being made
> > > here).
> > > > > > >>
> > > > > > >> On Fri, Dec 10, 2021 at 1:33 PM Brent <
> > brentwritesc...@gmail.com>
> > > > > > wrote:
> > > > > > >>
> > > > > > >> > [Feel free to take this offline or out-of-band if this is an
> > > > > > >> inappropriate
> > > > > > >> > place to discuss this]
> > > > > > >> >
> > > > > > >> > Is there any hotfixing planned as a result of the Log4J zero
> > day
> > > > > going
> > > > > > >> > around?
> > > > > > >> >
> > > > > > >> > Reference: https://www.lunasec.io/docs/blog/log4j-zero-day/
> > > > > > >> > CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
> > > > > > >> >
> > > > > > >> > From what I can tell, Helix seems to be building with
> > > > > > >> >
> > > https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12/1.7.14
> > > > > > >> which in
> > > > > > >> > turn maps to
> > > > https://mvnrepository.com/artifact/log4j/log4j/1.2.17
> > > > > > >> >
> > > > > > >> > The exploit is more prevalent in the 2.x versions of Log4J,
> > but
> > > > > there
> > > > > > >> are
> > > > > > >> > scenarios where 1.x is exploitable and it's been pointed out
> > > that
> > > > > 1.x
> > > > > > is
> > > > > > >> > also end of life and has other vulnerabilities.
> > > > > > >> >
> > > > > > >> > See:
> > > > > > >> >
> > > > > > >>
> > > > > >
> > > >
> > https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
> > > > > > >> >
> > > > > > >> > Thanks!
> > > > > > >> >
> > > > > > >> > ~Brent
> > > > > > >> >
> > > > > > >>
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>

Reply via email to