Please see the blog post @ https://pulsar.apache.org/blog/
December 11, 2021 Matteo Merli <> Yesterday, a new serious vulnerability was reported regarding Log4j that can allow remote execution for attackers. The vulnerability issue is described and tracked under CVE-2021-44228 <https://nvd.nist.gov/vuln/detail/CVE-2021-44228>. Current releases of Apache Pulsar are bundling Log4j2 versions that are affected by this vulnerability. We strongly recommend to follow the advisory of the Apache Log4j community and patch your systems as soon as possible. There are 2 workarounds to patch a Pulsar deployments. You can set either of: Java property: -Dlog4j2.formatMsgNoLookups=true Environment variable: LOG4J_FORMAT_MSG_NO_LOOKUPS=true Both approaches are effective in mitigating the vulnerability for Pulsar services. Additionally, when running Pulsar Functions with Kubernetes runtime, you should update your Docker images, following the example described here <https://github.com/lhotari/pulsar-docker-images-patch-CVE-2021-44228>. If you are using the Pulsar Helm Chart for deploying in Kubernetes, a new version of the chart <https://github.com/apache/pulsar-helm-chart/releases/tag/pulsar-2.7.6> is already available and it applies the above mentioned workaround. We are already preparing new patch releases, 2.7.4, 2.8.2 and 2.9.1. These releases will be ready in the next few days and will bundle the Log4j2 2.15.0, which contains the vulnerability fix.
