You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kafka.apache.org by to...@apache.org on 2022/09/20 09:52:27 UTC
[kafka-site] branch asf-site updated: MINOR: Mention CVE-2022-34917 in downloads.html (#444)
This is an automated email from the ASF dual-hosted git repository.
tombentley pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/kafka-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 77f432bf MINOR: Mention CVE-2022-34917 in downloads.html (#444)
77f432bf is described below
commit 77f432bf976ef510fa92b0d2b876a3a8e125a195
Author: Tom Bentley <to...@users.noreply.github.com>
AuthorDate: Tue Sep 20 10:52:22 2022 +0100
MINOR: Mention CVE-2022-34917 in downloads.html (#444)
Reviewers: Manikumar Reddy <ma...@gmail.com>
---
cve-list.html | 24 ++++++++++++------------
downloads.html | 8 ++++----
2 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/cve-list.html b/cve-list.html
index 2c4bf6ee..9bba9137 100644
--- a/cve-list.html
+++ b/cve-list.html
@@ -9,7 +9,7 @@
This page lists all security vulnerabilities fixed in released versions of Apache Kafka.
- <h2><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-34917">CVE-2022-34917</a> Unauthenticated clients may cause OutOfMemoryError on brokers </h2>
+ <h2 id="CVE-2022-34917"><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-34917">CVE-2022-34917</a> Unauthenticated clients may cause OutOfMemoryError on brokers </h2>
<p>This CVE identified a flaw where it allows the malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and
causing denial of service.</p>
@@ -43,7 +43,7 @@ This page lists all security vulnerabilities fixed in released versions of Apach
</tbody>
</table>
-<h2><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23302">CVE-2022-23302</a> Deserialization of Untrusted Data Flaw in JMSSink of Apache Log4j logging library in versions 1.x</h2>
+<h2 id="CVE-2022-23302"><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23302">CVE-2022-23302</a> Deserialization of Untrusted Data Flaw in JMSSink of Apache Log4j logging library in versions 1.x</h2>
<p>This CVE identified a flaw where it allows the attacker to provide a TopicConnectionFactoryBindingName configuration that will cause JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104.</p>
@@ -68,7 +68,7 @@ This page lists all security vulnerabilities fixed in released versions of Apach
</tbody>
</table>
-<h2><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23305">CVE-2022-23305</a> SQL injection Flaw in Apache Log4j logging library in versions 1.x</h2>
+<h2 id="CVE-2022-23305"><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23305">CVE-2022-23305</a> SQL injection Flaw in Apache Log4j logging library in versions 1.x</h2>
<p>This CVE identified a flaw where it allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.</p>
@@ -93,7 +93,7 @@ This page lists all security vulnerabilities fixed in released versions of Apach
</tbody>
</table>
-<h2><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23307">CVE-2022-23307</a> Deserialization of Untrusted Data Flaw in Apache Log4j logging library in versions 1.x</h2>
+<h2 id="CVE-2022-23307"><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23307">CVE-2022-23307</a> Deserialization of Untrusted Data Flaw in Apache Log4j logging library in versions 1.x</h2>
<p>This CVE identified a flaw where it allows an attacker to send a malicious request with serialized data to the component running <code>log4j 1.x</code> to be deserialized when the chainsaw component is run. Chainsaw is a standalone GUI for viewing log entries in log4j. An attacker not only needs to be able to generate malicious log entries, but also, have the necessary access and permissions to start chainsaw (or if it is already enabled by a customer / consumer of Apache Kafka).</p>
@@ -118,7 +118,7 @@ This page lists all security vulnerabilities fixed in released versions of Apach
</tbody>
</table>
-<h2><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046">CVE-2021-45046</a>
+<h2 id="CVE-2021-45046"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046">CVE-2021-45046</a>
Flaw in Apache Log4j logging library in versions from 2.0-beta9 through 2.12.1 and from 2.13.0 through 2.15.0</h2>
<p>Some components in Apache Kafka use <code>Log4j-v1.2.17</code> there is no dependence on <code>Log4j v2.*</code>. Check with the vendor of any connector plugin that includes a Log4J 2.x JAR file.</p>
@@ -146,7 +146,7 @@ This page lists all security vulnerabilities fixed in released versions of Apach
</tbody>
</table>
-<h2><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228">CVE-2021-44228</a>
+<h2 id="CVE-2021-44228"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228">CVE-2021-44228</a>
Flaw in Apache Log4j logging library in versions from 2.0.0 and before 2.15.0</h2>
<p>Some components in Apache Kafka use <code>Log4j-v1.2.17</code> there is no dependence on <code>Log4j v2.*</code>. Check with the vendor of any connector plugin that includes a Log4J 2.x JAR file.</p>
@@ -175,7 +175,7 @@ This page lists all security vulnerabilities fixed in released versions of Apach
</tbody>
</table>
-<h2><a href="https://access.redhat.com/security/cve/CVE-2021-4104">CVE-2021-4104</a>
+<h2 id="CVE-2021-4104"><a href="https://access.redhat.com/security/cve/CVE-2021-4104">CVE-2021-4104</a>
Flaw in Apache Log4j logging library in versions 1.x</h2>
<p>The following components in Apache Kafka use <code>Log4j-v1.2.17</code>: broker, controller, zookeeper, connect, mirrormaker and tools. Clients may also be configured to use <code>Log4j-v1.x</code>.</p>
@@ -210,7 +210,7 @@ This page lists all security vulnerabilities fixed in released versions of Apach
</tbody>
</table>
-<h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38153">CVE-2021-38153</a>
+<h2 id="CVE-2021-38153"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38153">CVE-2021-38153</a>
Timing Attack Vulnerability for Apache Kafka Connect and Clients</h2>
<p>Some components in Apache Kafka use <code>Arrays.equals</code> to validate a password or key,
@@ -239,7 +239,7 @@ where this vulnerability has been fixed.</p>
</tbody>
</table>
-<h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12399">CVE-2019-12399</a>
+<h2 id="CVE-2019-12399"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12399">CVE-2019-12399</a>
Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint</h2>
<p>When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are
@@ -273,7 +273,7 @@ where this vulnerability has been fixed.</p>
</tbody>
</table>
-<h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17196">CVE-2018-17196</a>
+<h2 id="CVE-2018-17196"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17196">CVE-2018-17196</a>
Authenticated clients with Write permission may bypass transaction/idempotent ACL validation</h2>
<p>In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually
craft a Produce request which bypasses transaction/idempotent ACL validation.
@@ -302,7 +302,7 @@ where this vulnerability has been fixed.</p>
</tbody>
</table>
-<h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288">CVE-2018-1288</a>
+<h2 id="CVE-2018-1288"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288">CVE-2018-1288</a>
Authenticated Kafka clients may interfere with data replication</h2>
<p>Authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request
@@ -330,7 +330,7 @@ interfering with data replication, resulting in data loss.</p>
</table>
-<h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12610">CVE-2017-12610</a>
+<h2 id="CVE-2017-12610"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12610">CVE-2017-12610</a>
Authenticated Kafka clients may impersonate other users</h2>
<p>Authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM
diff --git a/downloads.html b/downloads.html
index 1e8b5579..d4539d11 100644
--- a/downloads.html
+++ b/downloads.html
@@ -36,7 +36,7 @@
</ul>
<p>
- Kafka 3.2.3 fixes 7 issues since the 3.2.1 release.
+ Kafka 3.2.3 fixes <a href="cve-list#CVE-2022-34917">CVE-2022-34917</a> and 7 other issues since the 3.2.1 release.
For more information, please read the detailed <a href="https://downloads.apache.org/kafka/3.2.3/RELEASE_NOTES.html">Release Notes</a>.
</p>
@@ -144,7 +144,7 @@
</ul>
<p>
- Kafka 3.1.2 fixes 4 issues since the 3.1.1 release.
+ Kafka 3.1.2 fixes <a href="cve-list#CVE-2022-34917">CVE-2022-34917</a> and 4 other issues since the 3.1.1 release.
For more information, please read the detailed <a href="https://downloads.apache.org/kafka/3.1.2/RELEASE_NOTES.html">Release Notes</a>.
</p>
@@ -246,7 +246,7 @@
</ul>
<p>
- Kafka 3.0.2 fixes 10 issues since the 3.0.1 release.
+ Kafka 3.0.2 fixes <a href="cve-list#CVE-2022-34917">CVE-2022-34917</a> and 10 other issues since the 3.0.1 release.
For more information, please read the detailed <a href="https://downloads.apache.org/kafka/3.0.2/RELEASE_NOTES.html">Release Notes</a>.
</p>
@@ -347,7 +347,7 @@
</ul>
<p>
- Kafka 2.8.2 fixes 11 issues since the 2.8.1 release.
+ Kafka 2.8.2 fixes <a href="cve-list#CVE-2022-34917">CVE-2022-34917</a> and 11 other issues since the 2.8.1 release.
For more information, please read the detailed <a href="https://archive.apache.org/dist/kafka/2.8.2/RELEASE_NOTES.html">Release Notes</a>.
</p>