Log4j 1.2 Vulnerability

A critical security vulnerability https://nvd.nist.gov/vuln/detail/CVE-2022-23307 has been identified in the “Apache Apache Chainsaw” library. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. This has raised concerns among many dCache admins, who have contacted us either directly or by sending a message to securityԹdcache.org. Thanks for that!

Log4j in dCache

dCache uses logback as the default logging solution and does not distribute the Log4j library with officially released packages. It is therefore not affected.

Log4j in ZooKeeper

Like many Java based projects, ZooKeeper and Apache Kafka use Log4j-1.2 as their logging library.

There are to options, how sites deploy zookeeper for dCache: ether as dCache cell (don’t do this, unless you have a good reason for that) or as a standalone zookeeper cluster.

If you use embedded zookeeper, you can stop reading here. dCache forces all calls to log4j to be redirected to logback. Your zookeeper is not affected.

For the sites, that use zookeeper rpms build by dcache.org we have build the zk-3.5.8-3 package with corresponding fix.

For sites that use rpms built by others or use tarballs provided by Apache Foundation can either switch to rpms built by dcache.org or apply the workaround manually:

zip -q -d /usr/lib/zookeeper/lib/log4j* org/apache/log4j/chainsaw/*

NOTE: the path to log4j jar might be different and depends on packaging, zookeeper version and distribution.