Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to log4j2 to get rid of CVE-2019-17571 #2815

Closed
RaulGracia opened this issue Oct 6, 2021 · 1 comment
Closed

Upgrade to log4j2 to get rid of CVE-2019-17571 #2815

RaulGracia opened this issue Oct 6, 2021 · 1 comment
Labels
type/bug

Comments

@RaulGracia
Copy link
Contributor

BUG REPORT

Describe the bug

Log4j1.x has a relevant and public security vulnerability: CVE-2019-17571. The solution is to upgrade Bookkeeper to log4j2 to remove that CVE.

To Reproduce

Scanning Bookkeeper image reports this CVE.

Expected behavior

Remove CVE from Bookkeeper.

Screenshots

n/a

Additional context

n/a
@RaulGracia RaulGracia mentioned this issue Oct 6, 2021
Merged
@sijie sijie mentioned this issue Oct 6, 2021
Closed
zymap pushed a commit that referenced this issue Oct 15, 2021
@RaulGracia
Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571 (#2816)
a522fa3 
### Motivation
Upgrades to log4j2 to get rid of CVE-2019-17571.  

### Changes

The migration of log4j has been done mainly taking the official guidelines: https://logging.apache.org/log4j/2.x/manual/migration.html.
In this PR, the following changes are included:
- Replacement of `slf4j-log4j12` by `log4j-1.2-api`. Also included the `log4j-slf4j-impl` binding as well as the `log4j-core` library.
- Changes in `pom`, `gradle` and license files to reflect the above library upgrade.
- Test classes `TestOrderedExecutorDecorators`, `LoggerOutput`, `MdcContextTest`, as well as the class `FIleSystemUpgrade` made use of log4j1.2 API. This PR attempts to keep the same functionality with the new APIs.

### Verification
- Existing tests are passing.
- log4j1.2 is removed from project: #2816 (comment)
- Using `localbookie`, we observe that logs are shown correctly:
```
2021-10-07T16:04:23,757 - INFO  - [main:GarbageCollectorThread@245] - Minor Compaction : enabled=true, threshold=0.20000000298023224, interval=3600000
2021-10-07T16:04:23,760 - INFO  - [main:GarbageCollectorThread@247] - Major Compaction : enabled=true, threshold=0.800000011920929, interval=86400000
2021-10-07T16:04:23,952 - INFO  - [main:BookieImpl@920] - Finished replaying journal in 2 ms.
2021-10-07T16:04:23,958 - INFO  - [SyncThread-7-1:SyncThread@135] - Flush ledger storage at checkpoint CheckpointList{checkpoints=[LogMark: logFileId - 0 , logFileOffset - 0]}.
2021-10-07T16:04:23,980 - INFO  - [main:BookieImpl@1010] - Finished reading journal, starting bookie
2021-10-07T16:04:24,011 - INFO  - [BookieJournal-5000:Journal@919] - Starting journal on /tmp/localbookkeeper06554024139823286046test/current
2021-10-07T16:04:24,031 - INFO  - [ForceWriteThread:Journal$ForceWriteThread@478] - ForceWrite Thread started
2021-10-07T16:04:24,048 - INFO  - [BookieJournal-5000:JournalChannel@169] - Opening journal /tmp/localbookkeeper06554024139823286046test/current/17c5b11c65b.txn
```
In addition to that, if we change the `log4j.properties` file, the changes are reflected in the console output, meaning that the legacy configuration works and changes can be correctly applied:
```
Over Replicated Ledger Deletion : enabled=true, interval=86400000
Minor Compaction : enabled=true, threshold=0.20000000298023224, interval=3600000
Major Compaction : enabled=true, threshold=0.800000011920929, interval=86400000
Finished replaying journal in 5 ms.
Flush ledger storage at checkpoint CheckpointList{checkpoints=[LogMark: logFileId - 0 , logFileOffset - 0]}.
Finished reading journal, starting bookie
Starting journal on /tmp/localbookkeeper015049859959001160726test/current
ForceWrite Thread started
Opening journal /tmp/localbookkeeper015049859959001160726test/current/17c5b143063.txn
```
More verifications that logging works properly related to other Bookkeeper sub-components impacted may be needed.

Master Issue: #2815
@RaulGracia
Copy link
Contributor Author

Closed via #2816.

Ghatage pushed a commit to sijie/bookkeeper that referenced this issue Jul 12, 2024
@RaulGracia
Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571 (apache#2816)
b740a30 
### Motivation
Upgrades to log4j2 to get rid of CVE-2019-17571.  

### Changes

The migration of log4j has been done mainly taking the official guidelines: https://logging.apache.org/log4j/2.x/manual/migration.html.
In this PR, the following changes are included:
- Replacement of `slf4j-log4j12` by `log4j-1.2-api`. Also included the `log4j-slf4j-impl` binding as well as the `log4j-core` library.
- Changes in `pom`, `gradle` and license files to reflect the above library upgrade.
- Test classes `TestOrderedExecutorDecorators`, `LoggerOutput`, `MdcContextTest`, as well as the class `FIleSystemUpgrade` made use of log4j1.2 API. This PR attempts to keep the same functionality with the new APIs.

### Verification
- Existing tests are passing.
- log4j1.2 is removed from project: apache#2816 (comment)
- Using `localbookie`, we observe that logs are shown correctly:
```
2021-10-07T16:04:23,757 - INFO  - [main:GarbageCollectorThread@245] - Minor Compaction : enabled=true, threshold=0.20000000298023224, interval=3600000
2021-10-07T16:04:23,760 - INFO  - [main:GarbageCollectorThread@247] - Major Compaction : enabled=true, threshold=0.800000011920929, interval=86400000
2021-10-07T16:04:23,952 - INFO  - [main:BookieImpl@920] - Finished replaying journal in 2 ms.
2021-10-07T16:04:23,958 - INFO  - [SyncThread-7-1:SyncThread@135] - Flush ledger storage at checkpoint CheckpointList{checkpoints=[LogMark: logFileId - 0 , logFileOffset - 0]}.
2021-10-07T16:04:23,980 - INFO  - [main:BookieImpl@1010] - Finished reading journal, starting bookie
2021-10-07T16:04:24,011 - INFO  - [BookieJournal-5000:Journal@919] - Starting journal on /tmp/localbookkeeper06554024139823286046test/current
2021-10-07T16:04:24,031 - INFO  - [ForceWriteThread:Journal$ForceWriteThread@478] - ForceWrite Thread started
2021-10-07T16:04:24,048 - INFO  - [BookieJournal-5000:JournalChannel@169] - Opening journal /tmp/localbookkeeper06554024139823286046test/current/17c5b11c65b.txn
```
In addition to that, if we change the `log4j.properties` file, the changes are reflected in the console output, meaning that the legacy configuration works and changes can be correctly applied:
```
Over Replicated Ledger Deletion : enabled=true, interval=86400000
Minor Compaction : enabled=true, threshold=0.20000000298023224, interval=3600000
Major Compaction : enabled=true, threshold=0.800000011920929, interval=86400000
Finished replaying journal in 5 ms.
Flush ledger storage at checkpoint CheckpointList{checkpoints=[LogMark: logFileId - 0 , logFileOffset - 0]}.
Finished reading journal, starting bookie
Starting journal on /tmp/localbookkeeper015049859959001160726test/current
ForceWrite Thread started
Opening journal /tmp/localbookkeeper015049859959001160726test/current/17c5b143063.txn
```
More verifications that logging works properly related to other Bookkeeper sub-components impacted may be needed.

Master Issue: apache#2815
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@RaulGracia