You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by GitBox <gi...@apache.org> on 2021/03/02 14:42:33 UTC

[GitHub] [kafka] fouadsemaan commented on pull request #7898: KAFKA-9366: Change log4j dependency into log4j2

fouadsemaan commented on pull request #7898:
URL: https://github.com/apache/kafka/pull/7898#issuecomment-788957476


   > > @dongjinleekr we're using strimzi/kafka / 0.21.0-kafka-2.7.0
   > > Our SCA scanning Tool (JFrog XRay) found this CVE among many others (speaking of third party lib CVEs only).
   > > We're just wondering if there's a way (e.g. via message sanitizing or logging config adjustments, etc.) to be sure the mentioned CVE cannot be exploited.
   > 
   > I have similar question, can this security vulnerability [CVE-2019-17571](https://github.com/advisories/GHSA-2qrg-x229-3v8q) get exploited. I use Kafka operator from Banzaicloud 0.12.3/ kafka:2.13-2.6.0
   > 
   > when will the custom release be available?
   > 
   > thanks
   
   To  @priyavj08's question, is the vulnerability invoked by Kafka or does it lie dormant?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org