Any news on the Apache Log4j 2 aka CVE-2021-44228 issue? Is Kubernetes affected?
No…kubernetes is written in go.
I found details in the Kubernetes slack announcement channel:
-
The Product Security Committee has posted a security advisory for kubelet that could allow a user to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. This issue has been rated High and assigned CVE-2021-25741 . Please see CVE-2021-25741: Symlink Exchange Can Allow Host Filesystem Access · Issue #104980 · kubernetes/kubernetes · GitHub for more details.
-
The Product Security Committee has posted a security advisory for kube-apiserver where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. This issue has been rated Medium and assigned CVE-2020-8561 . Please see CVE-2020-8561: Webhook redirect in kube-apiserver · Issue #104720 · kubernetes/kubernetes · GitHub for more details.
-
The Security Response Committee has posted a security advisory for ingress-nginx where use of custom snippets could allow retrieval of ingress-nginx serviceaccount token and secrets across all namespaces. This issue has been rated High and assigned CVE-2021-25742 . Please see CVE-2021-25742: Ingress-nginx custom snippets allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces · Issue #7837 · kubernetes/ingress-nginx · GitHub for more details.
Those announcements were posted on September 15th (the first two) and October 21st (the third) and they’re about different, unrelated vulnerabilities with different CVE numbers.
@charlieok Thanks for that, totally missed that the dates didn’t match up. 
1 Like
Hello,
We have same question is kubernetes is impacted by Log4J, any necessary action needs to be taken, further more how to identify which version of Log4J is running? if this is the impacted version or not.
Kindly assist. thank you very much