Mitigating log4j vulnerability in linkerd1

[DrCapt]

Thanks for your help improving the project!

Getting Help

Github issues are for bug reports and feature requests. For questions about
Linkerd, how to use it, or debugging assistance, start by
asking a question in the forums or join us on
Slack.

Full details at CONTRIBUTING.md.

Filing a Linkerd issue

Issue Type:

• Bug report
• Feature request

What happened:
linkerd1 uses log4j, and it is conceivable that an attacker can use the JDNI vulnerability by putting malicious classloader directives in headers, and the headers can show up in logs. We need guidance on how to mitigate this vulnerability.

Thanks!

What you expected to happen:

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:

Environment:

• linkerd/namerd version, config files:

linkerd 1.7.3

• Platform, version, and config files (Kubernetes, DC/OS, etc):
• Cloud provider or hardware configuration:

[cpretzer]

Hi @DrCapt , thanks for reaching out about this.

The Linkerd team has completed its analysis of the CVE and you can find the details in #2438 The short version is that we have found Linkerd to be safe from the CVE.