The ZK community has been discussing where to go wrt log4j/... -- as a "customer" if you have any insights it would be good for you to weigh in. Perhaps help out with testing early rcs and any downstream impact.
Regards, Patrick On Thu, Dec 16, 2021 at 2:24 PM Hunter Lee <naren...@gmail.com> wrote: > Thanks Brent for a quick turnaround. > > With Helix we find that laptops aren't usually powerful enough to run > tests. But around last year we started looking at GitHub CI for testing > results for testing consistency. > > Seems that the test is still running, so let's wait this out and see what > we get. > > Hunter > > On Thu, Dec 16, 2021 at 5:17 PM Junkai Xue <j...@apache.org> wrote: > > > Thanks Brent! Right, I was commenting on your PR with that. Maybe we need > > to run the patch you provided to double verify it before merging. > > Anyway, thanks for contributing to this! > > > > Best, > > > > Junkai > > > > On Thu, Dec 16, 2021 at 2:11 PM Brent <brentwritesc...@gmail.com> wrote: > > > > > I'm sure you all saw the notifications, but I pushed a PR for this at > > > https://github.com/apache/helix/pull/1922 > > > > > > I describe some of this in the PR, but the changes rippled out a little > > > further than I thought, partly due to the Zookeeper dependency still > > > bringing in vulnerable versions and partly due to a few places in code > > > referencing Log4j 1.x APIs/packages/classes directly. > > > > > > My main concern, other than the magnitude of the change, is that I > > > successfully ran all of the tests except helix-core. All of the > > helix-core > > > tests succeeded up until the last 150 or so when I started getting out > of > > > memory errors, e.g.: > > > [ERROR] Failures: > > > [ERROR] TestConfigAccessor.testBasic:50 » OutOfMemory unable to > create > > > new native thre... > > > [ERROR] TestConfigAccessor.testDeleteCloudConfig:329 » OutOfMemory > > unable > > > to create ne... > > > [ERROR] TestConfigAccessor.testSetRestConfig:219 » OutOfMemory unable > > to > > > create new na... > > > > > > I can't tell if that's just my laptop or if it's a legitimate problem > > > introduced by this change, so any independent verification (maybe the > PR > > > hooks already do this) would be greatly appreciated. I'm going to try > to > > > test this in one of our dev environments, but would it would be great > if > > > someone else could independently verify too. > > > > > > Thanks! > > > > > > ~Brent > > > > > > On Wed, Dec 15, 2021 at 11:01 AM Hunter Lee <naren...@gmail.com> > wrote: > > > > > > > Thanks Brent. We'll keep an eye out for it. > > > > > > > > Hunter > > > > > > > > On Wed, Dec 15, 2021 at 12:42 AM Brent <brentwritesc...@gmail.com> > > > wrote: > > > > > > > > > I filed this issue so we have something to track: > > > > > https://github.com/apache/helix/issues/1921 > > > > > > > > > > I'm attempting to get Log4J 2.16.x building and running properly > > > locally. > > > > > I will submit a PR if I can get it working. > > > > > > > > > > Thanks! > > > > > > > > > > On Tue, Dec 14, 2021 at 8:40 AM Brent <brentwritesc...@gmail.com> > > > wrote: > > > > > > > > > > > Thanks Hunter, much appreciated! I will try to put together a > > patch > > > > with > > > > > > what I've done for remediation elsewhere (good news is it's not > > much > > > > > since > > > > > > Helix still inherits Log4J 1.x). If you wouldn't mind, I might > > also > > > > file > > > > > > an issue to consider upgrading to Log4J 2.16.x that was just > pushed > > > > out ( > > > > > > https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4 > ). > > > > That > > > > > > one will require some more thought to make sure things don't > break > > I > > > > > > suspect. > > > > > > > > > > > > ~Brent > > > > > > > > > > > > On Mon, Dec 13, 2021 at 1:42 PM Hunter Lee <naren...@gmail.com> > > > wrote: > > > > > > > > > > > >> This is being discussed. Feel free to post a patch if you're > > > > interested > > > > > >> (but do let us know so there's no duplicate effort being made > > here). > > > > > >> > > > > > >> On Fri, Dec 10, 2021 at 1:33 PM Brent < > brentwritesc...@gmail.com> > > > > > wrote: > > > > > >> > > > > > >> > [Feel free to take this offline or out-of-band if this is an > > > > > >> inappropriate > > > > > >> > place to discuss this] > > > > > >> > > > > > > >> > Is there any hotfixing planned as a result of the Log4J zero > day > > > > going > > > > > >> > around? > > > > > >> > > > > > > >> > Reference: https://www.lunasec.io/docs/blog/log4j-zero-day/ > > > > > >> > CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 > > > > > >> > > > > > > >> > From what I can tell, Helix seems to be building with > > > > > >> > > > https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12/1.7.14 > > > > > >> which in > > > > > >> > turn maps to > > > https://mvnrepository.com/artifact/log4j/log4j/1.2.17 > > > > > >> > > > > > > >> > The exploit is more prevalent in the 2.x versions of Log4J, > but > > > > there > > > > > >> are > > > > > >> > scenarios where 1.x is exploitable and it's been pointed out > > that > > > > 1.x > > > > > is > > > > > >> > also end of life and has other vulnerabilities. > > > > > >> > > > > > > >> > See: > > > > > >> > > > > > > >> > > > > > > > > > https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 > > > > > >> > > > > > > >> > Thanks! > > > > > >> > > > > > > >> > ~Brent > > > > > >> > > > > > > >> > > > > > > > > > > > > > > > > > > > > >
