[jira] [Commented] (MESOS-10234) CVE-2021-44228 Log4j vulnerability for apache mesos

Tue, 15 Feb 2022 12:23:04 -0800 


    [ 
https://issues.apache.org/jira/browse/MESOS-10234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17492857#comment-17492857
 ] 

Charles Natali commented on MESOS-10234:
----------------------------------------

Hi,

I cannot see an explicit dependency on log4j v1.2.17 - are you sure the build 
is not picking up your system's version?

Then again I'm really not familiar with the java bindings.

Note that the only log4j which is shipped with Mesos is part of the zookeeper 
version packaged:


{noformat}
./build/3rdparty/zookeeper-3.4.8/lib/slf4j-log4j12-1.6.1.jar
./build/3rdparty/zookeeper-3.4.8/lib/log4j-1.2.16.LICENSE.txt
./build/3rdparty/zookeeper-3.4.8/lib/log4j-1.2.16.jar
./build/3rdparty/zookeeper-3.4.8/src/java/lib/log4j-1.2.16.LICENSE.txt
./build/3rdparty/zookeeper-3.4.8/src/contrib/loggraph/web/org/apache/zookeeper/graph/log4j.properties
./build/3rdparty/zookeeper-3.4.8/src/contrib/rest/conf/log4j.properties
./build/3rdparty/zookeeper-3.4.8/src/contrib/zooinspector/lib/log4j.properties
./build/3rdparty/zookeeper-3.4.8/conf/log4j.properties
./build/3rdparty/zookeeper-3.4.8/contrib/rest/lib/slf4j-log4j12-1.6.1.jar
./build/3rdparty/zookeeper-3.4.8/contrib/rest/lib/log4j-1.2.15.jar
./build/3rdparty/zookeeper-3.4.8/contrib/rest/conf/log4j.properties

{noformat}


I'm not sure if anyone uses the shipped version, but maybe we could update it, 
what do you think [~asekretenko]?

Note that at work we experienced a zookeeper bug following a failover which 
IIRC caused some ephemeral nodes to not be deleted on the promoted leader, 
leading to inconsistencies in the Mesos registry - so updating could also solve 
this issue for whoever happens to use it.

> CVE-2021-44228 Log4j vulnerability for apache mesos
> ---------------------------------------------------
>
>                 Key: MESOS-10234
>                 URL: https://issues.apache.org/jira/browse/MESOS-10234
>             Project: Mesos
>          Issue Type: Bug
>          Components: build
>    Affects Versions: 1.11.0
>            Reporter: Sangita Nalkar
>            Priority: Critical
>
> Hi,
> Wanted to know if CVE-2021-44228 Log4j vulnerability is affecting Apache 
> mesos.
> We see that log4j v1.2.17 is used while building apache mesos from source.
> Snippet from build logs:
> std=c++11 -MT jvm/org/apache/libjava_la-log4j.lo -MD -MP -MF 
> jvm/org/apache/.deps/libjava_la-log4j.Tpo -c 
> ../../src/jvm/org/apache/log4j.cpp  -fPIC -DPIC -o 
> jvm/org/apache/.libs/libjava_la-log4j.o
> Thanks,
> Sangita



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to