How to apply mitigation for CVE-2021-44228

[plumdog]

Description

CVE-2021-44228, aka Log4Shell allows remote code execution in affected versions of log4j. As yet there is no announcement on https://zookeeper.apache.org/security.html, but I'm assuming Zookeeper is impacted until I find something to convince me otherwise.

For Solr, rather than patching, there's a mitigation, see https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 by setting SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true". I am hopeful that there is something similar for Zookeeper, and that zookeeper-operator will allow me to set such a config item.

Importance

Security critical, assuming Zookeeper is impacted.

Location

The vulnerability would be in Zookeeper itself, but the ability to set configuration for the mitigation would be applied by zookeeper-operator.

Suggestions for an improvement

First need to understand whether such a mitigation is available for Zookeeper, so I think we're just waiting for an update to https://zookeeper.apache.org/security.html, unless someone better acquainted with Zookeeper can work out/find what this might be. Then, if so, zookeeper-operator would need to be able to set it, and ultimately should set it by default. Also, could be a "global" setting passed to the operator, eg "for every zookeeper I create, set the mitigation option" or per Zookeeper, so set in the CRD somewhere.

Possibly related to: #252

[amuraru]

Based on our analysis Zookeeper is using log4j 1.x which is not impacted by Log4Shell CVE. Log4j 1.x is EOLed for a while amd has several other CVEs but not log4shell