You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Luke Chen (Jira)" <ji...@apache.org> on 2021/12/12 04:04:00 UTC
[jira] [Commented] (KAFKA-13537) Will kafka_2.12-2.3.0 version be impacted by new zero-day exploit going on since last friday?
[ https://issues.apache.org/jira/browse/KAFKA-13537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457805#comment-17457805 ]
Luke Chen commented on KAFKA-13537:
-----------------------------------
[~rajnaik] , thanks for reporting the issue. I've confirmed that Kafka is not affected by this CVE (or with low risk, compared to log4j 2.x versions). Please read my email reply here for more detail: [https://lists.apache.org/thread/lgbtvvmy68p0059yoyn9qxzosdmx4jdv]
But we have a KIP to upgrade log4j to log4j2: KAFKA-9366
FYI
> Will kafka_2.12-2.3.0 version be impacted by new zero-day exploit going on since last friday?
> ---------------------------------------------------------------------------------------------
>
> Key: KAFKA-13537
> URL: https://issues.apache.org/jira/browse/KAFKA-13537
> Project: Kafka
> Issue Type: Bug
> Environment: All
> Reporter: Rajendra
> Priority: Major
>
> h3. new zero-day exploit has been reported against the popular Log4J2 library which can allow an attacker to remotely execute code.
> h3. Affected Software
> A significant number of Java-based applications are using log4j as their logging utility and are vulnerable to this CVE. To the best of our knowledge, at least the following software may be impacted:
> * Apache Struts
> * Apache Solr
> * Apache Druid
> * Apache Flink
> * ElasticSearch
> * Flume
> * Apache Dubbo
> * Logstash
> * Kafka
> * Spring-Boot-starter-log4j2
> Wondering if kafka_2.12-2.3.0 is impacted. I see below libraries.
> kafka-log4j-appender-2.3.0.jar log4j-1.2.17.jar scala-logging_2.12-3.9.0.jar slf4j-log4j12-1.7.26.jar
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)