You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kafka.apache.org by ju...@apache.org on 2022/01/21 18:52:51 UTC

[kafka-site] branch asf-site updated: adding new vulnerability info - CVE-2022-23307 (#392)

This is an automated email from the ASF dual-hosted git repository.

junrao pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/kafka-site.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new 7904398  adding new vulnerability info - CVE-2022-23307  (#392)
7904398 is described below

commit 79043988dd8048fd99484b7fb2623a94f5489012
Author: scott-confluent <66...@users.noreply.github.com>
AuthorDate: Fri Jan 21 13:52:43 2022 -0500

    adding new vulnerability info - CVE-2022-23307  (#392)
    
    Reviewers: Jun Rao <ju...@gmail.com>
---
 cve-list.html | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/cve-list.html b/cve-list.html
index 2bb1e03..d5f62ba 100644
--- a/cve-list.html
+++ b/cve-list.html
@@ -9,6 +9,31 @@
 
 This page lists all security vulnerabilities fixed in released versions of Apache Kafka.
 
+<h2><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23307">CVE-2022-23307</a> Deserialization of Untrusted Data Flaw in Apache Log4j logging library in versions 1.x</h2>
+
+  <p>This CVE identified a flaw where it allows an attacker to send a malicious request with serialized data to the component running <code>log4j 1.x</code> to be deserialized when the chainsaw component is run. Chainsaw is a standalone GUI for viewing log entries in log4j. An attacker not only needs to be able to generate malicious log entries, but also, have the necessary access and permissions to start chainsaw (or if it is already enabled by a customer / consumer of Apache Kafka).</p>
+  
+  <table class="data-table">
+  <tbody>
+    <tr>
+      <td>Versions affected</td>
+      <td>All AK versions</td>
+    </tr>
+    <tr>
+      <td>Fixed versions</td>
+      <td>In the absence of a new log4j 1.x release, one can remove Chainsaw from the log4j-1.2.17.jar artifact.</td>
+    </tr>
+    <tr>
+      <td>Impact</td>
+      <td>When an attacker has the ability to start Chainsaw and is able to generate malicious log entries it allows deserialization of untrusted data.</td>
+    </tr>
+    <tr>
+      <td>Issue announced</td>
+      <td>18 Jan 2022</td>
+    </tr>
+  </tbody>
+  </table>
+
 <h2><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046">CVE-2021-45046</a>
   Flaw in Apache Log4j logging library in versions from 2.0-beta9 through 2.12.1 and from 2.13.0 through 2.15.0</h2>