Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-3990

Log4j 1.2.17 used by zookeeper 3.6.1 is vulnerable to CVE-2019-17571

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Duplicate
    • 3.6.1, 3.6.2
    • None
    • None
    • None

    Description

      Hello everyone,

      I work for a product which uses apache/zookeeper 3.6.1.  We scanned our product with a security scanner which reported CVE-2019-17571.

      After analysis we found that this vulnerability is coming from zookeeper 3.6.1 because of direct dependency on log4j 1.2.17. 

      Statement regarding 1.x version of log4j from official site:

      A security vulnerability, CVE-2019-17571 has been identified against Log4j 1. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited. Since Log4j 1 is no longer maintained this issue will not be fixed. Users are urged to upgrade to Log4j 2.x

      Could you please share your rationale on not upgrading log4j to 2.x

      Attachments

        Issue Links

          duplicates

          Task - A task that needs to be done. ZOOKEEPER-3677 owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer

          • Major - Major loss of function.
          • Closed

          Activity

            People

              ztzg Damien Diederen
              kotlasaicharanreddy SAICHARAN REDDY KOTLA
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: