Hotfix for log4j 1.2.7 security vulnerability (CVE-2019-17571)

[dongjinleekr]

Hello. Kafka is still using log4j 1.2.7, in turn with its security vulnerability. I have been working on this problem and recently started to provide a preview patch and custom distribution for Apache Kafka 2.7.0.

Some Kafka users consulted me that if they can use this preview with strimzi kafka operator. It seems like it is using some docker image, but I can't guess how to provide a custom docker image for it. Could anyone guide me?

As a note, here is a examplar custom docker image of it (dongjinleekr/kafka:2.13-2.7.0-log4j2-0) compatible with wurstmeister/kafka-docker. I hope there is any way to provide similar one.

[scholzj]

Strimzi does not work with any Kafka container image. It has its own images which are not the same as lets say Confluent platform or Wurstmeister. The general way how to use a custom Kafka build would be to change the URL and checksum in this file to point to your distribution and build the whole Strimzi project.

That said, I'm not sure how well it would or would not work. The operator has built in logic around logging configuration which expects Log4j 1 right now and I have no idea how well it would or would not work if your version has now Log4j2. Maybe @sknot-rh would know? He did most of the work around logging.

PS: We are definitely following the progress around Log4j 2 ... thanks for working on it.

[scholzj]

Actually probably easier way to do the custom image would be to just use the Strimzi image as base image and overwrite the Kafka dirs (probably just the bin, config and libs directories).

[sknot-rh]

Yeah, I think some changes on the Strizmi side would be needed. The question is whether the API for changing logging levels in the Kafka stays the same. If so, we just need to adjust the format of loggers to be parsed in Strimzi.

[dongjinleekr]

Since this preview is backward-compatible, it perfectly works with log4j configuration unless it uses a feature removed in log4j2. log4j2 mode is activated only if the user specifies KAFKA_LOG4J_OPTS environment variable to "-Dlog4j.configurationFile=file:{kafka.home}/bin/../config/log4j2.properties"

Of course, there may be unexpected consequences, and this preview aims to prepare the update and detect implicit bugs beforehand.

It seems like activating this preview build is available by only changing the download URL and md5 checksum. Although I am preparing the 2.6.0 patch and preview guide now, here is the download link and md5 checksum for who needs this feature right now. Thanks for the answer, and praise the Strimzi team! 😄

• Preview build: 2.7.0+log4j2
• md5 checksum: f9ee67109f2da3fc08478da64a0970a0b7324497

[scholzj]

With which version you want to use it? I assume with latest stable release (0.21.1) - I can build it and share it somewhere in some Docker registry if needed.

[dongjinleekr]

Sorry for the late reply. I also expect that the latest stable release (0.21.1) would be good. If you build a preview docker image, it would be a great help. (I created a guide to the preview - I will update the strimzi-kafka-operator section as soon as the preview image is released.)

Add to this, I succesfully generated a custom build of 2.6.1. It would be help! 😄

• Preview build: 2.6.1+log4j2
• sha1 checksum: 148a8f116a5e1115650075218e4cdc4ca2d6a3d1

[scholzj]

Ok, I build container image quay.io/scholzj/kafka:log4j2-kafka-2.7.0 => it is to be used with Strimzi 0.21.1 and has your patched 2.7.0 release. I did not run any tests with it or anything, but it is available.

After we release 0.22 I will try to do the same for it with both 2.7 and 2.6.1 and do some more testing.

[dongjinleekr]

Great! I will try your operator and update the guide. Thank you again!! 🙇🙇🙇

[dongjinleekr]

Here is the guide: https://home.apache.org/~dongjin/post/apache-kafka-log4j2-support/

[dongjinleekr]

Long time no see.

Previews & custom patches for [2.6.1, 2.8.0] have been released. (3.0.0 based preview will be released as soon as the official 3.0.0 is released.) Please refer here to download them.