By Matteo Merli, Chairman of Apache Pulsar PMC, CTO of StreamNative
Recently, due to the recursive parsing function of some functions of Apache Log4j2, attackers can directly construct malicious requests to trigger remote code execution vulnerabilities. The details of this vulnerability and the progress of the fix can be found in CVE-2021-44228 .
The current version of Apache Pulsar bundles the version of Log4j2 affected by this vulnerability. We strongly recommend that you follow the advice of the Apache Log4j community and patch your system as soon as possible.
For Apache Pulsar systems, there are two workarounds to patch a Pulsar deployment. You can set any of the following:
- Java Properties:
-Dlog4j2.formatMsgNoLookups=true - Environment variable:
LOG4J_FORMAT_MSG_NO_LOOKUPS=true
Both of the above methods can effectively mitigate the vulnerabilities of the Pulsar service.
Also, when running Pulsar Functions with the Kubernetes runtime, you should update the Docker image following example
If you are using Pulsar Helm Chart for Pulsar deployment in Kubernetes, Helm Chart is available and the above workaround has been applied. -Dlog4j2.formatMsgNoLookups=true can also be mitigated by adding 061f114a029ee4 to configData in PULSAR_EXTRA_OPTS for related components in proxy, broker, BookKeeper, ZooKeeper, auto-recovery, and helm value files if your production environment is not suitable for upgrading it.
The community is accelerating new patch releases, as well as releases 2.7.4, 2.8.2, and 2.9.1, which will be ready in the next few days and will bundle Log4j2 2.15.0 with bug fixes.
Technical Support
If you have any questions or concerns about Apache Pulsar related matters in this vulnerability, you are welcome to issue in the Apache Pulsar GitHub repository , or communicate with the community in the Pulsar technical exchange group.
Follow public account "Apache Pulsar" to get dry goods and news
Join the Apache Pulsar Chinese exchange group👇🏻
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。