LBN -- Apache Pulsar - Mitigation for CVE-2021-44228 (Log4Shell)
Article ID: KB0107998
Updated On:
| Products | Versions |
|---|---|
| TIBCO Messaging Quasar - Powered by Apache Pulsar | 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1 |
Description
TIBCO is aware of the recently announced Apache Log4J vulnerability (CVE-2021-44228), referred to as “Log4Shell”. Performing these attacks requires an attacker to have control of log messages or at least the parameters for a given log message. This vulnerability theoretically enables arbitrary code to be executed on the affected system.
TIBCO’s Security Team is actively monitoring the information coming out about the Apache Log4J Vulnerability and our Product Security Incident Response Team (PSIRT) is actively evaluating how this vulnerability may affect TIBCO products and cloud services.
TIBCO’s Security Team is actively monitoring the information coming out about the Apache Log4J Vulnerability and our Product Security Incident Response Team (PSIRT) is actively evaluating how this vulnerability may affect TIBCO products and cloud services.
Issue/Introduction
Apache Pulsar - Mitigation for CVE-2021-44228 (Log4Shell)
Environment
All
Resolution
These instructions are based on the mitigation steps documented by the Apache Pulsar project for vulnerable versions of Log4j2.
The vulnerable log4j code is in these Apache Pulsar versions:
All releases prior to 2.7.0, prior to and including 2.7.3, prior to and including 2.8.1 are affected.
There are two available ways to address this issue and disable the compromised functionality:
1) Using Java properties: Set the "log4j2.formatMsgNoLookups" property to "true". This can be set when starting the JVM by adding
"-Dlog4j2.formatMsgNoLookups=true" to the command line used to start Apache Pulsar components.
"-Dlog4j2.formatMsgNoLookups=true" to the command line used to start Apache Pulsar components.
Alternatively
2) Using an environment variable: Set LOG4J_FORMAT_MSG_NO_LOOKUPS=true to disable the compromised functionality.
All Apache Pulsar brokers and connectors should be stopped and restarted using one of the two mitigation steps outlined above. Disabling the compromised functionality will not impact any Apache Pulsar functionality. Apache Pulsar clients, BookKeepers, and ZooKeepers are not affected by this issue and the mitigation steps outlined above are benign if applied to them.
Feedback
Yes
No
Powered by
