You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "Pavel Kuznetsov (Jira)" <ji...@apache.org> on 2020/07/07 18:03:00 UTC
[jira] [Created] (KAFKA-10245) Using vulnerable log4j version
Pavel Kuznetsov created KAFKA-10245:
---------------------------------------
Summary: Using vulnerable log4j version
Key: KAFKA-10245
URL: https://issues.apache.org/jira/browse/KAFKA-10245
Project: Kafka
Issue Type: Bug
Components: core, KafkaConnect
Affects Versions: 2.5.0
Reporter: Pavel Kuznetsov
*Description*
I checked kafka_2.12-2.5.0.tgz distribution with WhiteSource and find out that log4j version, that used in kafka-connect and kafka-brocker, has vulnerabilities
* log4j-1.2.17.jar has [CVE-2019-17571|https://github.com/advisories/GHSA-2qrg-x229-3v8q] and [CVE-2020-9488|https://github.com/advisories/GHSA-vwqq-5vrc-xw9h] vulnerabilities. The way to fix it is to upgrade to org.apache.logging.log4j:log4j-core:2.13.2
*To Reproduce*
Download kafka_2.12-2.5.0.tgz
Open libs folder in it and find log4j-1.2.17.jar.
Check [CVE-2019-17571|https://github.com/advisories/GHSA-2qrg-x229-3v8q] and [CVE-2020-9488|https://github.com/advisories/GHSA-vwqq-5vrc-xw9h] to see that log4j 1.2.17 is vulnerable.
*Expected*
* log4j is log4j-core 2.13.2 or higher
*Actual*
* log4j is 1.2.17
--
This message was sent by Atlassian Jira
(v8.3.4#803005)