log4j vulnerability (CVE-2021-44228) - not vulnerable #1196
Comments
|
@patrakov Sentry does not have any Java code in it. That said it uses Kafka and Zookeeper so it'd be better to look there. Self-hosted uses Confluent packages so you may check them and submit a PR to upgrade the packages if you see something. Originally posted by @BYK in #1175 (comment) |
|
Would also love confirmation on the vulernability as @patrakov mentioned, since it does look like some old log4j versions (1.x) were used when I searched a self-hosted server for log4j with Originally posted by @bryceadams in #1175 (comment) |
|
It seems that log4j 1.x is impacted only if some features are enabled check here. The Kafka configuration does not seem to have the impacted configuration options enabled (you can check them here |
|
If people want to be sure, I have added the following to our |
|
Hey, big thanks to everyone for jumping on this so quickly to report (@patrakov, @DerFlash), triage (@BYK, @bryceadams, @acherifi), mitigate (@jerbob92), and coordinate (@aminvakil). 🙏 |
|
So it is still not clear to me if sentry needs a patch update for the log4j vulnerability? |
|
@hrishikeshdkakkad You probably don't need a patch, no. What does everyone think? Should we add @jerbob92's configs to the default |
|
I've used the opensource trivy tool to scan each of the images listed in the docker-compose for the latest release of sentry. both seem to use log4j and seem to be affected by the log4shell exploit. Just as an FYI. |
@ChojinDSL Can you post the output? Log4j and log4j2 are different and the first one is not affected. |
|
confluentinc/cp-kafka:5.5.0 @jerbob92 You're right, my bad. Those two components are not affected by log4shell. |
We should not add it to default |
|
Just to confirm that Kafka is currently not affected, here is the discussion on the Kafka issue tracker |
|
I cannot find anything about zookeeper affected by this vulnerability, but I can't find anything definite about zookeeper not affected by this CVE too :( Anyone got something? |
|
Found it: https://issues.apache.org/jira/browse/ZOOKEEPER-4423. (via NCSC-NL/log4shell#104) Also fwiw AWS says their Zookeeper is in the clear. |
|
I think the conclusion here is that Sentry self-hosted is not vulnerable, based on the self-reporting of the Kafka and Zookeeper projects. Agreed? |
I'd suggest keeping this issue open still, and change the title to clarify sentry is not vulnerable for users coming in the next few days. |
I agree, both use log4j v1. |
chadwhitacre
changed the title
Good idea. I updated the title and also added a statement in the description. Thanks again, everyone. |
|
I also made a note on #1193 to add something to the changelog for 21.12.0 stating that we are not vulnerable. I'm checking internally with our security team on the final wording to use. |
|
Heading afk now to prep for our incredibly (though unfortunately) well-timed event, "The Future of Open Source: Is It Sustainable?" 😁 😭 |
|
Mark: I've scanned the cp-kafka:5.5.0 and cp-zookeeper:5.50 (and all docker images) last week Critical PyYAML Maybe some of these vulnerabilities is not affect to Sentry, but is there an easy way to check which component is in using or not? |
Can you check again, AFAIK there was some discussion about whether log4j 1.x is vulnerable or not and whether different configurations and implementations are affected or not since last week. And could you share what did you check docker images with? Does it have some verbose flag which can show more information?
I'd say our best shot is what kafka and communities around it say themselves and they say it's not affected: |
|
I've scanned all images from docker compose (version 21.11.0) by enterprise version of aquasec (your quoted comment is ref the public website of aquasec) Which report like this: But since it is on the intranet, so I can't share the URL.
I will check it again after I make the patches for OS vulners. |
|
https://lists.apache.org/thread/lgbtvvmy68p0059yoyn9qxzosdmx4jdv :
AFAICS sentry kafka does not have these conditions, but sure we can use some more investigation into this... |
Yeah, you are right. Log4j can be made vulnerable with specific settings, but they are not default like with Log4j2. |
|
The CVE in thread is: https://avd.aquasec.com/nvd/cve-2021-44228/ |
|
We published our official statement today. Gonna go ahead and close this out. Good work, team. 👏 🙏 |
|
@chadwhitacre any update about CVE-2021-45105? |
|
@Ankitva Other than sentry official statement which has already been mentioned and shared what else do you need clarification about? Edit: Ah, this is the one which has been fixed in 2.17.0, sentry statement is prior to 2.17.0 release. |
@Ankitva Sentry is not vulnerable, the components we use use 1.x. |
|
If it uses > 1.2.17 |
|
Thanks @rvanlieshout, reticketed as #1219. |
Official Statement
https://blog.sentry.io/2021/12/15/sentrys-response-to-log4j-vulnerability-cve-2021-44228
Update
The two Java-based components used in self-hosted Sentry are Kafka and Zookeeper. Both of those projects have concluded that they are not vulnerable, therefore our best understanding is that self-hosted Sentry is not vulnerable to log4shell and does not need to be patched.
Original
I have a self-hosted installation of Sentry 21.9.0 (sorry for not updating it).
I know that some components of Sentry are written in Java. Today I have read the news about a critical log4j vulnerability (https://www.lunasec.io/docs/blog/log4j-zero-day/, CVE-2021-44228). Are Sentry installations using scripts from this repository affected? If so, what's the proper way to apply a fix or workaround?
Originally posted by @patrakov in #1175 (comment)
The text was updated successfully, but these errors were encountered: