log4j remediation on Jboss Kafka - apache-kafka

Log4j 1.x has reached End of Life in 2015 and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.
Kafka is a software used by the application to communicate between microservices. Kafka in Jboss servers is using log4j 1.x. We need to be able to use 2.x log4j here.
Vulnerable software installed: Apache Log4j 1.2.17 (/apps/server/standalone/kafka/kafka_2.11-0.10.1.0/libs/log4j-1.2.17.jar)
All new Kafka version also uses Log4j 1.2.17. Need to remediate this.
JBoss version is jboss-eap-6.4
What is the way?

Log4j2 is not scheduled to be released with Kafka until Kafka 4.0 - KAFKA-9366
Until then, you can try to directly modify the log4j jars yourself to remove vulnerable classes, such as JMSAppender, or replace with reload4j, as only available in recent commits (Kafka 3.1.1 & 3.2) - https://github.com/apache/kafka/pull/11743
Seeing as your Jboss is using a version of Kafka several years old now, it might not be possible to upgrade directly without upgrading Jboss itself

Related

Confused by wildfly versions used in EAP 7.2

I would have added this to another thread, but I am unable to comment on other's posts. And what I read did not answer my question. I just installed EAP 7.2.0.GA. In the console log, it says:
JBoss EAP 7.2.0.GA (WildFly Core 6.0.11.Final-redhat-00001)
However, others think it is around version 13. And when I look at the releases of wildfly ( http://wildfly.org/downloads/ ) a version 6 is so old it does not even show up and would have been prior to 2014...
So, how can it be 6.0.11.Final?
WildFly core is just a component in WildFly application server.
As such is also used in JBoss EAP which is a downstream product based on WildFly AS.
WildFly core is standalone project which provides most of core capabilities (management, cli, administration, subsystem infrastructure...) of the application server without any Java EE support, that is added to it by WildFly project.
you can see the sources for both at
https://github.com/wildfly/wildfly-core/
https://github.com/wildfly/wildfly/
as for your confusion.
WildFly core 6.0.x is used in EAP 7.1 as well as in WildFly 14
which you an see also in the sources https://github.com/wildfly/wildfly/blob/14.0.0.Final/pom.xml#L375
micro version is not always exactly the same, as in the process of building downstream product of EAP, extra patches can be added.
WildFly Core is a component in JBoss Enterprise Application Platform 7 (EAP 7). So, this log means:
JBoss EAP 7.2 - JBoss EAP in version 7.2
GA - General availability
WildFly Core 6.0.11.Final - component WildFly Core in version 6.0.11.Final.
See also:
JBoss Enterprise Application Platform Component Details
Software release life cycle

Is there a maven dependency for kafka 0.10.2.2 version?

I'm using kafka version: 0.10.2.1 and there's a known issue on this version.
https://issues.apache.org/jira/browse/KAFKA-5167
It has been fixed in 0.10.2.2 and other higher versions as per the ticket. But I don't see any maven dependency for 0.10.2.2 release.
There is no maven artifact because kafka 0.10.2.2 has not been released.
As Kafka is currently releasing 1.1, it's unclear if 0.10.2.2 will ever be released.
You have 2 options:
notify the developer's mailing list with your interest in 0.10.2.2. If enough people are interested it might happen
start using the 0.10.2 branch. You'll have to build it yourself but then you'll be running the most up to date 0.10.2 code (including the fix for KAFKA-5167).

PicketLink support for JBoss

Download JBoss EAP or WildFly
PicketLink can be used on both servers.
Use the PicketLink Installer to configure them with the latest version
of the PicketLink modules and libraries.
Does this implicit mean
it will work on my Red Hat JBoss Enterprise Application Platform - Version 6.4.5.GA?
I can't find any further information about version support, maybe someone has experiences and could give me a hint.
Solution
System Requirements
Make sure your environment is properly configured
as follows:
Java 1.6 or Java 1.7 PicketLink Federation Quickstarts JBoss
Enterprise Application Platform 6 or WildFly Servers.
reference

Jboss Wildfly resteasy upgrade

I've googled to find detailed working tutorial for update Jboss Wildfly resteasy to latest version (3.0.17) but seems without solutions.
I'm testing on wildfly 10.0.0.Final release-version: "2.0.10.Final"
with resteasy core version. First question how to list (from shell or from Gui) all core modules version in use?
From official documentation i'm using jboss-jaxrs-api_2.0_spec-1.0.0.Final version but i want use for my project resteasy 3.0.17
I can accept globally upgrade and/or instruction to use resteasy 3.0.17 only in my war project "bypassing" core wildfly resteasy implementation.
I read official Jboss Resteasy upgrade but without success.
Is there some guide or complete tutorial about manage modules on jboss wildfly ?
Or someone has already had these headaches and can share suggestions ?
Have a look at this post from JBoss forum:
https://developer.jboss.org/thread/274219
Basically from Wildfly 11 it will be possible to see the module versions on console and in regards to the upgrade, it's manual work.

How to upgrade embedded HornetQ on JBoss 6.1.0.Final

I am running JBoss 6.1.0.Final with embedded HornetQ.
I want to upgrade HornetQ but keep the JBoss.
Is that possible, and how? What would the latest compatible HornetQ version that can still work with JBoss 6.1.0Final?
Looking at this thread: How to upgrade HornetQ version in JBoss 6?
I tried the following:
1- Download HornetQ 2.4.0, but wasn't sure what copy from the pack?
2- Download the latest JBoss AS 6.1.1Final and copies some jars, but not sure what version I deployed.
I need at least version 2.3.0 or HornetQ, and I have no idea which version of HornetQ is deployed with the latest 6.1.1.Final !
With JBoss EAP I would post your question to RedHat support. EAP 6.1 comes with HornetQ 2.3.1.Final, as you can see here. 6.1.1 comes with 3.6.6. And you can see the version simply by looking at the log messages or inside the manifest.