Overview
This article discusses the concerns raised about the Log4j vulnerabilities seen in recent CVE articles.
Applies to
Dremio helm charts which use the ZooKeeper instance from Google’s container repository:
- Kubernetes deployments of all Dremio Releases up to and including 20.x
CVEs
- CVE-2022-23302
- CVE-2022-23305
- CVE-2022-23307
- CVE-2021-44228
Details
Dremio helm charts use the ZooKeeper instance from Google’s container repository residing in: k8s.gcr.io/kubernetes-zookeeper:1.0-3.4.10. This version of ZooKeeper is deployed with log4j version 1.2.16.
As of today any version of ZooKeeper in any product, depends on log4j version 1.2.x
- log4j 1.x version is EOL by Apache Foundation since 2015.
- log4j1 version 1.2.16 is not vulnerable to Log4Shell vulnerability (CVE-2021-44228) like log4j2 version prior to 2.15.0-rc1 was.
- Apache ZooKeeper has a support request ticket open for upgrading to Log4j2 (see below) [2]
- Dremio deployments that are not Kubernetes based will use Logback for any logging framework (see below) [1]
For Kubernetes based installations; it is worth noting that if an attacker has access to the server or the container, they can facilitate loading a different log4j configuration and enable the vulnerable JMSAppender, JDBCAppender classes. This is considered a limited exposure since the attacker would already need to have obtained shell level access to the server, container and / or Kubernetes cluster. We do not enable these vulnerable classes by default. A container restart would also reset these configurations to their default safe values.
In terms of ZooKeeper communications, the ZooKeeper port (TCP/2181) would not be exposed to untrusted networks since deployment models would typically route this traffic within the container private subnetwork. Dremio generates the ZooKeeper communication payloads procedurally and it’s not tied to a user input. These measures also mitigate the path of exploitability even if the services were vulnerable.
Further reading
[1] Dremio CVE-2021-44228 announcement : https://mailchi.mp/dremio.com/dremio-support-advisory-dremio-is-not-affected-by-apache-log4j-vulnerability-cve-2021-44228
[2] Apache ZooKeeper log4j upgrade: [#ZOOKEEPER-2342] Migrate to Log4J 2. - ASF JIRA