You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kafka.apache.org by sh...@apache.org on 2022/02/13 02:25:36 UTC
[kafka-site] branch asf-site updated: MINOR: Add CVE-2022-23302 and CVE-2022-23305 to cve-list (#396)
This is an automated email from the ASF dual-hosted git repository.
showuon pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/kafka-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new a2ad775 MINOR: Add CVE-2022-23302 and CVE-2022-23305 to cve-list (#396)
a2ad775 is described below
commit a2ad775f3c0d2d04743d5880bed4465f22203b1c
Author: Luke Chen <sh...@gmail.com>
AuthorDate: Sun Feb 13 10:25:30 2022 +0800
MINOR: Add CVE-2022-23302 and CVE-2022-23305 to cve-list (#396)
* add more info in the "adding to contributor list" section
* add CVE-2022-23302 and CVE-2022-23305 to cve-list
Reviewers: Jun Rao <ju...@gmail.com>, Israel Ekpo <is...@gmail.com>
---
cve-list.html | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
diff --git a/cve-list.html b/cve-list.html
index d5f62ba..dbca288 100644
--- a/cve-list.html
+++ b/cve-list.html
@@ -9,6 +9,56 @@
This page lists all security vulnerabilities fixed in released versions of Apache Kafka.
+<h2><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23302">CVE-2022-23302</a> Deserialization of Untrusted Data Flaw in JMSSink of Apache Log4j logging library in versions 1.x</h2>
+
+ <p>This CVE identified a flaw where it allows the attacker to provide a TopicConnectionFactoryBindingName configuration that will cause JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104.</p>
+
+ <table class="data-table">
+ <tbody>
+ <tr>
+ <td>Versions affected</td>
+ <td>All AK versions</td>
+ </tr>
+ <tr>
+ <td>Fixed versions</td>
+ <td>In the absence of a new log4j 1.x release, one can remove JMSSink class from the log4j-1.2.17.jar artifact.</td>
+ </tr>
+ <tr>
+ <td>Impact</td>
+ <td>When the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a configuration causing JMSSink to perform JNDI requests that result in remote code execution.</td>
+ </tr>
+ <tr>
+ <td>Issue announced</td>
+ <td>18 Jan 2022</td>
+ </tr>
+ </tbody>
+ </table>
+
+<h2><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23305">CVE-2022-23305</a> SQL injection Flaw in Apache Log4j logging library in versions 1.x</h2>
+
+ <p>This CVE identified a flaw where it allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.</p>
+
+ <table class="data-table">
+ <tbody>
+ <tr>
+ <td>Versions affected</td>
+ <td>All AK versions</td>
+ </tr>
+ <tr>
+ <td>Fixed versions</td>
+ <td>In the absence of a new log4j 1.x release, one can remove JDBCAppender class from the log4j-1.2.17.jar artifact.</td>
+ </tr>
+ <tr>
+ <td>Impact</td>
+ <td>This issue could result in a SQL injection attack when the application is configured to use JDBCAppender.</td>
+ </tr>
+ <tr>
+ <td>Issue announced</td>
+ <td>18 Jan 2022</td>
+ </tr>
+ </tbody>
+ </table>
+
<h2><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23307">CVE-2022-23307</a> Deserialization of Untrusted Data Flaw in Apache Log4j logging library in versions 1.x</h2>
<p>This CVE identified a flaw where it allows an attacker to send a malicious request with serialized data to the component running <code>log4j 1.x</code> to be deserialized when the chainsaw component is run. Chainsaw is a standalone GUI for viewing log entries in log4j. An attacker not only needs to be able to generate malicious log entries, but also, have the necessary access and permissions to start chainsaw (or if it is already enabled by a customer / consumer of Apache Kafka).</p>