Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-3990

Log4j 1.2.17 used by zookeeper 3.6.1 is vulnerable to CVE-2019-17571

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 3.6.1, 3.6.2
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      Hello everyone,

      I work for a product which uses apache/zookeeper 3.6.1.  We scanned our product with a security scanner which reported CVE-2019-17571.

      After analysis we found that this vulnerability is coming from zookeeper 3.6.1 because of direct dependency on log4j 1.2.17. 

      Statement regarding 1.x version of log4j from official site:

      A security vulnerability, CVE-2019-17571 has been identified against Log4j 1. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited. Since Log4j 1 is no longer maintained this issue will not be fixed. Users are urged to upgrade to Log4j 2.x

      Could you please share your rationale on not upgrading log4j to 2.x

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ztzg Damien Diederen
                Reporter:
                kotlasaicharanreddy SAICHARAN REDDY KOTLA
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: