You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kafka.apache.org by "Pavel Kuznetsov (Jira)" <ji...@apache.org> on 2020/07/07 18:03:00 UTC

[jira] [Created] (KAFKA-10245) Using vulnerable log4j version

Pavel Kuznetsov created KAFKA-10245:
---------------------------------------

             Summary: Using vulnerable log4j version
                 Key: KAFKA-10245
                 URL: https://issues.apache.org/jira/browse/KAFKA-10245
             Project: Kafka
          Issue Type: Bug
          Components: core, KafkaConnect
    Affects Versions: 2.5.0
            Reporter: Pavel Kuznetsov


*Description*
I checked kafka_2.12-2.5.0.tgz distribution with WhiteSource and find out that log4j version, that used in kafka-connect and kafka-brocker, has vulnerabilities
 * log4j-1.2.17.jar has [CVE-2019-17571|https://github.com/advisories/GHSA-2qrg-x229-3v8q] and [CVE-2020-9488|https://github.com/advisories/GHSA-vwqq-5vrc-xw9h] vulnerabilities. The way to fix it is to upgrade to org.apache.logging.log4j:log4j-core:2.13.2

*To Reproduce*
Download kafka_2.12-2.5.0.tgz
Open libs folder in it and find log4j-1.2.17.jar.
Check [CVE-2019-17571|https://github.com/advisories/GHSA-2qrg-x229-3v8q] and [CVE-2020-9488|https://github.com/advisories/GHSA-vwqq-5vrc-xw9h] to see that log4j 1.2.17 is vulnerable.

*Expected*
 * log4j is log4j-core 2.13.2 or higher

*Actual*
 * log4j is 1.2.17



--
This message was sent by Atlassian Jira
(v8.3.4#803005)