[jira] [Commented] (ZOOKEEPER-4452) Log4j 1.X CVE-2022-23302/5/7 vulnerabilities
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4452?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17482078#comment-17482078 ] Christopher Tubbs commented on ZOOKEEPER-4452: -- For current ZK releases under maintenance, it might be a good idea to switch to https://reload4j.qos.ch/ to replace log4j1.x For the next release line, ZOOKEEPER-4427 is already addressing migration away from log4j1. > Log4j 1.X CVE-2022-23302/5/7 vulnerabilities > > > Key: ZOOKEEPER-4452 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4452 > Project: ZooKeeper > Issue Type: Bug >Reporter: Dominique Mongelli >Priority: Major > > Some log4j 1.x vulnerabilities have been disclosed recently: > * CVE-2022-23302: [https://nvd.nist.gov/vuln/detail/CVE-2022-23302] > * CVE-2022-23305 : [https://nvd.nist.gov/vuln/detail/CVE-2022-23305] > * CVE-2022-23307 : [https://nvd.nist.gov/vuln/detail/CVE-2022-23307] > We would like to know if zookeeper is affected by these vulnerabilities ? -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Created] (ZOOKEEPER-4452) Log4j 1.X CVE-2022-23302/5/7 vulnerabilities
Dominique Mongelli created ZOOKEEPER-4452: - Summary: Log4j 1.X CVE-2022-23302/5/7 vulnerabilities Key: ZOOKEEPER-4452 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4452 Project: ZooKeeper Issue Type: Bug Reporter: Dominique Mongelli Some log4j 1.x vulnerabilities have been disclosed recently: * CVE-2022-23302: [https://nvd.nist.gov/vuln/detail/CVE-2022-23302] * CVE-2022-23305 : [https://nvd.nist.gov/vuln/detail/CVE-2022-23305] * CVE-2022-23307 : [https://nvd.nist.gov/vuln/detail/CVE-2022-23307] We would like to know if zookeeper is affected by these vulnerabilities ? -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Resolved] (ZOOKEEPER-3988) org.apache.zookeeper.server.NettyServerCnxn.receiveMessage throws NullPointerException
[
https://issues.apache.org/jira/browse/ZOOKEEPER-3988?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mate Szalay-Beko resolved ZOOKEEPER-3988.
-
Resolution: Fixed
The fix has been merged, thanks [~eolivelli] for the work!
[~TheDevarshiShah], this patch indeed will be part of 3.8.0, 3.7.1, 3.6.4.
> org.apache.zookeeper.server.NettyServerCnxn.receiveMessage throws
> NullPointerException
> --
>
> Key: ZOOKEEPER-3988
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3988
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
>Affects Versions: 3.6.1
> Environment: K8S
>Reporter: Pratik Thacker
>Assignee: Enrico Olivelli
>Priority: Major
> Labels: pull-request-available
> Fix For: 3.8.0, 3.7.1, 3.6.4
>
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
> While upgrading K8S cluster, container running zookeeper will rollover one by
> one.
> During this rollover, Null Pointer Exception was observed as below.
> {code:java}
> INFO
> [QuorumPeer[myid=1](plain=0.0.0.0:2181)(secure=0.0.0.0:2281):Follower@292] -
> shutdown FollowerINFO
> [QuorumPeer[myid=1](plain=0.0.0.0:2181)(secure=0.0.0.0:2281):Follower@292] -
> shutdown FollowerINFO
> [QuorumPeer[myid=1](plain=0.0.0.0:2181)(secure=0.0.0.0:2281):LearnerZooKeeperServer@160]
> - Shutting downINFO
> [QuorumPeer[myid=1](plain=0.0.0.0:2181)(secure=0.0.0.0:2281):ZooKeeperServer@784]
> - shutting downINFO
> [QuorumPeer[myid=1](plain=0.0.0.0:2181)(secure=0.0.0.0:2281):RequestThrottler@244]
> - Shutting downINFO [RequestThrottler:RequestThrottler@205] - Draining
> request throttler queueINFO [RequestThrottler:RequestThrottler@181] -
> RequestThrottler shutdown. Dropped 0 requestsINFO
> [QuorumPeer[myid=1](plain=0.0.0.0:2181)(secure=0.0.0.0:2281):FollowerRequestProcessor@148]
> - Shutting downINFO
> [QuorumPeer[myid=1](plain=0.0.0.0:2181)(secure=0.0.0.0:2281):CommitProcessor@617]
> - Shutting downINFO
> [FollowerRequestProcessor:1:FollowerRequestProcessor@112] -
> FollowerRequestProcessor exited loop!INFO
> [CommitProcessor:1:CommitProcessor@406] - CommitProcessor exited loop!INFO
> [QuorumPeer[myid=1](plain=0.0.0.0:2181)(secure=0.0.0.0:2281):FinalRequestProcessor@662]
> - shutdown of request processor completeERROR
> [nioEventLoopGroup-4-22:NettyServerCnxnFactory$CnxnChannelHandler@329] -
> Unexpected exception in receivejava.lang.NullPointerException: null at
> org.apache.zookeeper.server.NettyServerCnxn.receiveMessage(NettyServerCnxn.java:515)
> ~[zookeeper-3.6.1.jar:3.6.1] at
> org.apache.zookeeper.server.NettyServerCnxn.processMessage(NettyServerCnxn.java:365)
> ~[zookeeper-3.6.1.jar:3.6.1] at
> org.apache.zookeeper.server.NettyServerCnxnFactory$CnxnChannelHandler.channelRead(NettyServerCnxnFactory.java:326)
> [zookeeper-3.6.1.jar:3.6.1] at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
> [netty-transport-4.1.48.Final.jar:4.1.48.Final] at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
> [netty-transport-4.1.48.Final.jar:4.1.48.Final] at
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
> [netty-transport-4.1.48.Final.jar:4.1.48.Final] at
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
> [netty-transport-4.1.48.Final.jar:4.1.48.Final] at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
> [netty-transport-4.1.48.Final.jar:4.1.48.Final] at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
> [netty-transport-4.1.48.Final.jar:4.1.48.Final] at
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
> [netty-transport-4.1.48.Final.jar:4.1.48.Final] at
> io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
> [netty-transport-4.1.48.Final.jar:4.1.48.Final] at
> io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
> [netty-transport-4.1.48.Final.jar:4.1.48.Final] at
> io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
> [netty-transport-4.1.48.Final.jar:4.1.48.Final] at
> io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
> [netty-transport-4.1.48.Final.jar:4.1.48.Final] at
> io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
> [netty-transport-4.1.48.Final.jar:4.1.48.Final] at
> io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
>
[jira] [Resolved] (ZOOKEEPER-4450) Zookeeper 3.7.0 is using Vulnerable log4j of 1.2.17
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4450?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Christopher Tubbs resolved ZOOKEEPER-4450. -- Resolution: Duplicate > Zookeeper 3.7.0 is using Vulnerable log4j of 1.2.17 > --- > > Key: ZOOKEEPER-4450 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4450 > Project: ZooKeeper > Issue Type: Bug > Components: audit >Affects Versions: 3.7.0, 3.6.2 > Environment: Production >Reporter: Dilip anand >Assignee: Mohammad Arshad >Priority: Major > Original Estimate: 120h > Remaining Estimate: 120h > > Hello Team, > > We are currently using Zookeeper of 3.4.6 and found the below log4j security > vulnarbilty. > > The sad part is zookeeper is using too old log4j jar file and the fixed > version of log4j is 2.16.0. > > Can we get the "log4j" fixed version of zookeeper as soon as possible to > include it in the production setup? > > Nessus scan report:: > - > Path : /opt/zookeeper/zookeeper-3.4.10/bin/../lib/log4j-1.2.16.jar Installed > version : 1.2.16 Fixed version : 2.16.0 > Path : /opt/zookeeper/zookeeper-3.4.10/contrib/rest/lib/log4j-1.2.15.jar > Installed version : 1.2.15 Fixed version : 2.16.0 > Path : /opt/zookeeper/zookeeper-3.4.10/lib/log4j-1.2.16.jar Installed version > : 1.2.16 Fixed version : 2.16.0 > > Regards, > Anandaa -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Resolved] (ZOOKEEPER-4451) vulnerable version of log4j (1.2.15/12.16) is being used in Zookeeper
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4451?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Christopher Tubbs resolved ZOOKEEPER-4451. -- Resolution: Duplicate > vulnerable version of log4j (1.2.15/12.16) is being used in Zookeeper > -- > > Key: ZOOKEEPER-4451 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4451 > Project: ZooKeeper > Issue Type: Bug >Reporter: Nagalakshmi Nagaraj >Priority: Critical > > Even the latest version of Zookeeper (3.7.0) is still using the vulnerable > version of log4j > log4j-1.2.15.jar > log4j-1.2.16.jar > > We require apache Zookeeper tar with the Fix version of log4j (2.17.1) -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Updated] (ZOOKEEPER-4451) vulnerable version of log4j (1.2.15/12.16) is being used in Zookeeper
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4451?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nagalakshmi Nagaraj updated ZOOKEEPER-4451: --- Summary: vulnerable version of log4j (1.2.15/12.16) is being used in Zookeeper (was: vulnerable version of log4j is being used in Zookeeper (1.2.15/12.16)) > vulnerable version of log4j (1.2.15/12.16) is being used in Zookeeper > -- > > Key: ZOOKEEPER-4451 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4451 > Project: ZooKeeper > Issue Type: Bug >Reporter: Nagalakshmi Nagaraj >Priority: Critical > > Even the latest version of Zookeeper (3.7.0) is still using the vulnerable > version of log4j > log4j-1.2.15.jar > log4j-1.2.16.jar > > We require apache Zookeeper tar with the Fix version of log4j (2.17.1) -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Created] (ZOOKEEPER-4451) vulnerable version of log4j is being used in Zookeeper (1.2.15/12.16)
Nagalakshmi Nagaraj created ZOOKEEPER-4451: -- Summary: vulnerable version of log4j is being used in Zookeeper (1.2.15/12.16) Key: ZOOKEEPER-4451 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4451 Project: ZooKeeper Issue Type: Bug Reporter: Nagalakshmi Nagaraj Even the latest version of Zookeeper (3.7.0) is still using the vulnerable version of log4j log4j-1.2.15.jar log4j-1.2.16.jar We require apache Zookeeper tar with the Fix version of log4j (2.17.1) -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Created] (ZOOKEEPER-4450) Zookeeper 3.7.0 is using Vulnerable log4j of 1.2.17
Dilip anand created ZOOKEEPER-4450: -- Summary: Zookeeper 3.7.0 is using Vulnerable log4j of 1.2.17 Key: ZOOKEEPER-4450 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4450 Project: ZooKeeper Issue Type: Bug Components: audit Affects Versions: 3.6.2, 3.7.0 Environment: Production Reporter: Dilip anand Assignee: Mohammad Arshad Hello Team, We are currently using Zookeeper of 3.4.6 and found the below log4j security vulnarbilty. The sad part is zookeeper is using too old log4j jar file and the fixed version of log4j is 2.16.0. Can we get the "log4j" fixed version of zookeeper as soon as possible to include it in the production setup? Nessus scan report:: - Path : /opt/zookeeper/zookeeper-3.4.10/bin/../lib/log4j-1.2.16.jar Installed version : 1.2.16 Fixed version : 2.16.0 Path : /opt/zookeeper/zookeeper-3.4.10/contrib/rest/lib/log4j-1.2.15.jar Installed version : 1.2.15 Fixed version : 2.16.0 Path : /opt/zookeeper/zookeeper-3.4.10/lib/log4j-1.2.16.jar Installed version : 1.2.16 Fixed version : 2.16.0 Regards, Anandaa -- This message was sent by Atlassian Jira (v8.20.1#820001)
