You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kafka.apache.org by ju...@apache.org on 2021/12/15 00:24:47 UTC
[kafka-site] branch asf-site updated: adding CVE-2021-44228 and CVE-2021-4104 to list (#388)
This is an automated email from the ASF dual-hosted git repository.
junrao pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/kafka-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new f7cff0d adding CVE-2021-44228 and CVE-2021-4104 to list (#388)
f7cff0d is described below
commit f7cff0d46b070385e4aaccca96f0f74a058f7427
Author: scott-confluent <66...@users.noreply.github.com>
AuthorDate: Tue Dec 14 19:24:42 2021 -0500
adding CVE-2021-44228 and CVE-2021-4104 to list (#388)
---
cve-list.html | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 64 insertions(+)
diff --git a/cve-list.html b/cve-list.html
index ccb7d06..b42620d 100644
--- a/cve-list.html
+++ b/cve-list.html
@@ -9,6 +9,70 @@
This page lists all security vulnerabilities fixed in released versions of Apache Kafka.
+<h2><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228">CVE-2021-44228</a>
+ Flaw in Apache Log4j logging library in versions from 2.0.0 and before 2.15.0</h2>
+
+ <p>Some components in Apache Kafka use <code>Log4j-v1.2.17</code> there is no dependence on <code>Log4j v2.*</code>. Check with the vendor of any connector plugin that includes a Log4J 2.x JAR file.</p>
+
+ <p><a href="https://logging.apache.org/log4j/2.x/manual/lookups.html">Lookups feature</a> was introduced in Log4j v2.x in order to allow specifying Log4j configuration parameters in arbitrary locations (even outside of the configuration files). Log4j v1.x does not offer the same functionality and thus is not vulnerable to <a href="https://access.redhat.com/security/cve/cve-2021-44228">CVE-2021-44228</a>.</p>
+ <p>Users should NOT be impacted by this vulnerability</p>
+
+ <table class="data-table">
+ <tbody>
+ <tr>
+ <td>Versions affected</td>
+ <td>NA</td>
+ </tr>
+ <tr>
+ <td>Fixed versions</td>
+ <td>NA</td>
+ </tr>
+ <tr>
+ <td>Impact</td>
+ <td>NA</td>
+ </tr>
+ <tr>
+ <td>Issue announced</td>
+ <td>09 Dec 2021</td>
+ </tr>
+ </tbody>
+ </table>
+
+<h2><a href="https://access.redhat.com/security/cve/CVE-2021-4104">CVE-2021-4104</a>
+ Flaw in Apache Log4j logging library in versions 1.x</h2>
+
+ <p>The following components in Apache Kafka use <code>Log4j-v1.2.17</code>: broker, controller, zookeeper, connect, mirrormaker and tools. Clients may also be configured to use <code>Log4j-v1.x</code>.</p>
+
+ <p>Version 1.x of Log4J can be configured to use JMS Appender, which publishes log events to a JMS Topic. Log4j 1.x is vulnerable if the deployed application is configured to use JMSAppender.</p>
+
+ <table class="data-table">
+ <tbody>
+ <tr>
+ <td>Versions affected</td>
+ <td>All versions</td>
+ </tr>
+ <tr>
+ <td>Fixed versions</td>
+ <td>
+ In the absence of a new log4j 1.x release, one can remove JMSAppender
+ from the log4j-1.2.17.jar artifact. Commands are listed in the
+ page <a href="http://slf4j.org/log4shell.html">http://slf4j.org/log4shell.html</a>.
+ <br />
+ <br />
+ We also recommend that configuration files be protected against write access as stated in <a href="http://slf4j.org/log4shell.html">http://slf4j.org/log4shell.html</a>.
+ </td>
+ </tr>
+ <tr>
+ <td>Impact</td>
+ <td>This issue could result in a remote code execution attack when the application is configured to use JMSAppender AND the attacker has access to directly modify the TopicBindingName or TopicConnectionFactoryBindingName configuration variables in property files which is typically an unlikely exploitation scenario.</td>
+ </tr>
+ <tr>
+ <td>Issue announced</td>
+ <td>09 Dec 2021</td>
+ </tr>
+ </tbody>
+ </table>
+
<h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38153">CVE-2021-38153</a>
Timing Attack Vulnerability for Apache Kafka Connect and Clients</h2>