From ebd58b12d38af0371a3a87f01f18c95f46d920da Mon Sep 17 00:00:00 2001 From: Marios Andreopoulos Date: Wed, 15 Dec 2021 18:13:30 +0200 Subject: [PATCH] Temporary mitigations for CVE-2021-44228 Fast-data-dev is not really affected and is not targeted towards production use. We still remove all Kafka connectors that ship with a vulnerable log4j implementation until we have a fix. [OPS-2037] Signed-off-by: Marios Andreopoulos --- Dockerfile | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index 283c892..40c80b9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -87,10 +87,8 @@ RUN wget $DEVARCH_USER $DEVARCH_PASS "${STREAM_REACTOR_URL}" -O /stream-reactor. done \ && rm -f /opt/landoop/connectors/stream-reactor/*/*{javadoc,scaladoc,sources}.jar \ && echo "plugin.path=/opt/landoop/connectors/stream-reactor,/opt/landoop/connectors/third-party" \ - >> /opt/landoop/kafka/etc/schema-registry/connect-avro-distributed.properties -# RUN echo "plugin.path=/opt/landoop/connectors/stream-reactor,/opt/landoop/connectors/third-party" \ -# >> /opt/landoop/kafka/etc/schema-registry/connect-avro-distributed.properties \ -# && mkdir -p /opt/landoop/connectors/stream-reactor + >> /opt/landoop/kafka/etc/schema-registry/connect-avro-distributed.properties \ + && rm -rf /opt/landoop/connectors/stream-reactor/kafka-connect-{elastic6,elastic7,hive} # Temporary mitigation for log4shell (removing connectors with offending libs) # Add Secrets Provider ARG SECRET_PROVIDER_VERSION=2.1.6 @@ -126,14 +124,15 @@ RUN wget $DEVARCH_USER $DEVARCH_PASS "$KAFKA_CONNECT_ELASTICSEARCH_URL" \ && rm -rf /opt/kafka-connect-elasticsearch.tar.gz ## Kafka Connect HDFS -ARG KAFKA_CONNECT_HDFS_VERSION=10.0.2-lkd-r0 -ARG KAFKA_CONNECT_HDFS_URL="${ARCHIVE_SERVER}/lkd/packages/connectors/third-party/kafka-connect-hdfs/kafka-connect-hdfs-${KAFKA_CONNECT_HDFS_VERSION}.tar.gz" -RUN wget $DEVARCH_USER $DEVARCH_PASS "$KAFKA_CONNECT_HDFS_URL" \ - -O /opt/kafka-connect-hdfs.tar.gz \ - && mkdir -p /opt/landoop/connectors/third-party/ \ - && tar --no-same-owner -xf /opt/kafka-connect-hdfs.tar.gz \ - -C /opt/landoop/connectors/third-party/ \ - && rm -rf /opt/kafka-connect-hdfs.tar.gz +# Disable until CVE-2021-44228 is addressed +# ARG KAFKA_CONNECT_HDFS_VERSION=10.0.2-lkd-r0 +# ARG KAFKA_CONNECT_HDFS_URL="${ARCHIVE_SERVER}/lkd/packages/connectors/third-party/kafka-connect-hdfs/kafka-connect-hdfs-${KAFKA_CONNECT_HDFS_VERSION}.tar.gz" +# RUN wget $DEVARCH_USER $DEVARCH_PASS "$KAFKA_CONNECT_HDFS_URL" \ +# -O /opt/kafka-connect-hdfs.tar.gz \ +# && mkdir -p /opt/landoop/connectors/third-party/ \ +# && tar --no-same-owner -xf /opt/kafka-connect-hdfs.tar.gz \ +# -C /opt/landoop/connectors/third-party/ \ +# && rm -rf /opt/kafka-connect-hdfs.tar.gz # Kafka Connect S3 ARG KAFKA_CONNECT_S3_VERSION=10.0.0-lkd-r0 @@ -189,7 +188,7 @@ RUN mkdir -p /opt/landoop/connectors/third-party/kafka-connect-debezium-{mongodb && rm -rf /debezium-{mongodb,mysql,postgres,sqlserver}.tgz # Kafka Connect Splunk -ARG KAFKA_CONNECT_SPLUNK_VERSION="1.1.0" +ARG KAFKA_CONNECT_SPLUNK_VERSION="2.0.4" ARG KAFKA_CONNECT_SPLUNK_URL="https://github.com/splunk/kafka-connect-splunk/releases/download/v${KAFKA_CONNECT_SPLUNK_VERSION}/splunk-kafka-connect-v${KAFKA_CONNECT_SPLUNK_VERSION}.jar" RUN mkdir -p /opt/landoop/connectors/third-party/kafka-connect-splunk \ && wget "$KAFKA_CONNECT_SPLUNK_URL" \