Request upgrade of all log4j 1.x to at least log4j 2.17.1, or patch vulnerabilities

[DrCapt]

Thanks for your help improving the project!

Getting Help

Github issues are for bug reports and feature requests. For questions about
Linkerd, how to use it, or debugging assistance, start by
asking a question in the forums or join us on
Slack.

Full details at CONTRIBUTING.md.

Filing a Linkerd issue

Issue Type:

• Bug report
• Feature request

What happened:

Linkerd 1 currently uses log4j 1.x through its Netty and Zookeeper dependencies according to #2438 (comment)

Hello, sharing what I've found regarding log4j vuln in Linkerd. I cloned the linkerd/linkerd repo and checked out the 1.6.3 tag which is the version we're using, then I added a dependency tree plugin to sbt plugins file and after executing it I only see log4j 1.2.16 and 1.2.17, I'll do the same with tag 1.7.4
I also started looking into netty and if I'm not mistaken log4j was updated to v2 on version 4.1.65.final netty/netty#11264
on linkerd 1.6.3 I see netty 4.1.31.final
on linkerd 1.7.4 I see netty 4.1.47.final and log4j 1.2.16 and 1.2.17
from these dependencies it seems like linkerd 1 is safe, but log4j 1 has other vulnerabilities, although not as critical as log4shell

Even though log4j 1.x is not vulnerable to CVE-2021-44228, it is still end of life and has a number of other vulnerabilities which our security scanner is picking up.

What you expected to happen:

We request that Linkerd 1 be upgraded so that either only log4j 2.17.1 (or higher) is used, or the vulnerabilities in log4j 1.x are patched, in order to fulfill our security requirements.

We are a paying customer of Bouyant.

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:

Environment:

• linkerd/namerd version, config files:

We are using Linkerd 1.7.3.

• Platform, version, and config files (Kubernetes, DC/OS, etc):
• Cloud provider or hardware configuration:

[wmorgan]

Thanks @DrCapt . We're taking a look.

[wmorgan]

@DrCapt do you currently use Linkerd's Zookeeper integration?

[DrCapt]

@wmorgan hi sorry for late response. No, we do not use Linkerd's Zookeeper integration. I will check with security to see if they can ignore the log4j dependency from Zookeeper, since we don't use it. Also, from what I understand fromt this comment, log4j is not pulled in from the Netty dependency, can you confirm?
#2438 (comment)

[wmorgan]

@DrCapt That's correct. Linkerd does not pull in log4j from its Netty dependency. The Zookeeper component is the only part of Linkerd that has a log4j dependency (of a bad version). We can publish a new release of Linkerd that simply removes that component, but if you're not using it then you don't necessarily have to upgrade.

[DrCapt]

@wmorgan unfortunately, due to the politics surrounding our security, we need a version of Linkerd 1 that removes the Zookeeper component.

[wmorgan]

@DrCapt Ok, stay tuned!

[wmorgan]

@DrCapt We've just shipped Linkerd 1.7.5 which contains a version of Linkerd without Zookeeper. Please let us know if you run into any issues.