The Drain Cleaner is written in Java, but it only uses the Log4j2 library in tests, not when it’s used by users. The last unaffected component is the Strimzi Drain Cleaner. The TLS sidecars used in Cruise Control and the Entity Operator are based on Stunnel, which is written in C. The Kaniko builder used to build the Kafka Connect images is also written in Golang This includes the Kafka Exporter and Strimzi Canary which are written in Golang. Several of the components are not affected because they do not use Java at all. Let’s have a look at these components and identify those which are and are not affected by the Log4j2 vulnerability.
There are also some components which are deployed separately, such as the Drain Cleaner.Īll the available components are listed here: It also deploys the ZooKeeper cluster, the topic and user operators, and possibly Cruise Control and Kafka Exporter. When using Strimzi, you first deploy the Cluster Operator as the central component.įinally, each operand might consist of multiple different components.įor example, when you deploy the Kafka cluster using the Kafka custom resource, it does not deploy just the Kafka brokers. In this blog post, we will have a look at which parts of your Strimzi deployment might be affected and how the vulnerability can be mitigated. In short, if an attacker can get your application to log an arbitrary log message (or part of it), it can be used to execute arbitrary code, loaded from an attacker-controlled remote server, inside your application. We will not get into the finer details here. Much has been written about how the vulnerability works and how it can be used by attackers to gain unauthorized control over your system.
Several Strimzi components and dependencies use Log4j2. The CVE-2021-44228 vulnerability in the Log4j2 logging library - also known as Log4Shell - affects many software projects written in Java.
#Stunnel dependencies update#
Update (24th December 2021): We have now also released Strimzi 0.27.0 which uses Log4j2 2.17.0 and fixes also the less critical CVE-2021-45105 and CVE-2021-45046.
0 kommentar(er)
