This is an automated email from the ASF dual-hosted git repository.
tombentley pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/kafka-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 77f432bf MINOR: Mention CVE-2022-34917 in downloads.html (#444)
77f432bf is described below
commit 77f432bf976ef510fa92b0d2b876a3a8e125a195
Author: Tom Bentley <[email protected]>
AuthorDate: Tue Sep 20 10:52:22 2022 +0100
MINOR: Mention CVE-2022-34917 in downloads.html (#444)
Reviewers: Manikumar Reddy <[email protected]>
---
cve-list.html | 24 ++++++++++++------------
downloads.html | 8 ++++----
2 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/cve-list.html b/cve-list.html
index 2c4bf6ee..9bba9137 100644
--- a/cve-list.html
+++ b/cve-list.html
@@ -9,7 +9,7 @@
This page lists all security vulnerabilities fixed in released versions of
Apache Kafka.
- <h2><a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-34917";>CVE-2022-34917</a>
Unauthenticated clients may cause OutOfMemoryError on brokers </h2>
+ <h2 id="CVE-2022-34917"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-34917";>CVE-2022-34917</a>
Unauthenticated clients may cause OutOfMemoryError on brokers </h2>
<p>This CVE identified a flaw where it allows the malicious
unauthenticated clients to allocate large amounts of memory on brokers. This
can lead to brokers hitting OutOfMemoryException and
causing denial of service.</p>
@@ -43,7 +43,7 @@ This page lists all security vulnerabilities fixed in
released versions of Apach
</tbody>
</table>
-<h2><a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-23302";>CVE-2022-23302</a>
Deserialization of Untrusted Data Flaw in JMSSink of Apache Log4j logging
library in versions 1.x</h2>
+<h2 id="CVE-2022-23302"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-23302";>CVE-2022-23302</a>
Deserialization of Untrusted Data Flaw in JMSSink of Apache Log4j logging
library in versions 1.x</h2>
<p>This CVE identified a flaw where it allows the attacker to provide a
TopicConnectionFactoryBindingName configuration that will cause JMSSink to
perform JNDI requests that result in remote code execution in a similar fashion
to CVE-2021-4104.</p>
@@ -68,7 +68,7 @@ This page lists all security vulnerabilities fixed in
released versions of Apach
</tbody>
</table>
-<h2><a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-23305";>CVE-2022-23305</a> SQL
injection Flaw in Apache Log4j logging library in versions 1.x</h2>
+<h2 id="CVE-2022-23305"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-23305";>CVE-2022-23305</a> SQL
injection Flaw in Apache Log4j logging library in versions 1.x</h2>
<p>This CVE identified a flaw where it allows a remote attacker to run SQL
statements in the database if the deployed application is configured to use
JDBCAppender with certain interpolation tokens.</p>
@@ -93,7 +93,7 @@ This page lists all security vulnerabilities fixed in
released versions of Apach
</tbody>
</table>
-<h2><a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-23307";>CVE-2022-23307</a>
Deserialization of Untrusted Data Flaw in Apache Log4j logging library in
versions 1.x</h2>
+<h2 id="CVE-2022-23307"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-23307";>CVE-2022-23307</a>
Deserialization of Untrusted Data Flaw in Apache Log4j logging library in
versions 1.x</h2>
<p>This CVE identified a flaw where it allows an attacker to send a
malicious request with serialized data to the component running <code>log4j
1.x</code> to be deserialized when the chainsaw component is run. Chainsaw is a
standalone GUI for viewing log entries in log4j. An attacker not only needs to
be able to generate malicious log entries, but also, have the necessary access
and permissions to start chainsaw (or if it is already enabled by a customer /
consumer of Apache Kafka).</p>
@@ -118,7 +118,7 @@ This page lists all security vulnerabilities fixed in
released versions of Apach
</tbody>
</table>
-<h2><a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046";>CVE-2021-45046</a>
+<h2 id="CVE-2021-45046"><a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046";>CVE-2021-45046</a>
Flaw in Apache Log4j logging library in versions from 2.0-beta9 through
2.12.1 and from 2.13.0 through 2.15.0</h2>
<p>Some components in Apache Kafka use <code>Log4j-v1.2.17</code> there is
no dependence on <code>Log4j v2.*</code>. Check with the vendor of any
connector plugin that includes a Log4J 2.x JAR file.</p>
@@ -146,7 +146,7 @@ This page lists all security vulnerabilities fixed in
released versions of Apach
</tbody>
</table>
-<h2><a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228";>CVE-2021-44228</a>
+<h2 id="CVE-2021-44228"><a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228";>CVE-2021-44228</a>
Flaw in Apache Log4j logging library in versions from 2.0.0 and before
2.15.0</h2>
<p>Some components in Apache Kafka use <code>Log4j-v1.2.17</code> there is
no dependence on <code>Log4j v2.*</code>. Check with the vendor of any
connector plugin that includes a Log4J 2.x JAR file.</p>
@@ -175,7 +175,7 @@ This page lists all security vulnerabilities fixed in
released versions of Apach
</tbody>
</table>
-<h2><a
href="https://access.redhat.com/security/cve/CVE-2021-4104";>CVE-2021-4104</a>
+<h2 id="CVE-2021-4104"><a
href="https://access.redhat.com/security/cve/CVE-2021-4104";>CVE-2021-4104</a>
Flaw in Apache Log4j logging library in versions 1.x</h2>
<p>The following components in Apache Kafka use <code>Log4j-v1.2.17</code>:
broker, controller, zookeeper, connect, mirrormaker and tools. Clients may also
be configured to use <code>Log4j-v1.x</code>.</p>
@@ -210,7 +210,7 @@ This page lists all security vulnerabilities fixed in
released versions of Apach
</tbody>
</table>
-<h2><a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38153";>CVE-2021-38153</a>
+<h2 id="CVE-2021-38153"><a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38153";>CVE-2021-38153</a>
Timing Attack Vulnerability for Apache Kafka Connect and Clients</h2>
<p>Some components in Apache Kafka use <code>Arrays.equals</code> to validate
a password or key,
@@ -239,7 +239,7 @@ where this vulnerability has been fixed.</p>
</tbody>
</table>
-<h2><a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12399";>CVE-2019-12399</a>
+<h2 id="CVE-2019-12399"><a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12399";>CVE-2019-12399</a>
Apache Kafka Connect REST API may expose plaintext secrets in tasks
endpoint</h2>
<p>When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0,
2.2.1, or 2.3.0 are
@@ -273,7 +273,7 @@ where this vulnerability has been fixed.</p>
</tbody>
</table>
-<h2><a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17196";>CVE-2018-17196</a>
+<h2 id="CVE-2018-17196"><a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17196";>CVE-2018-17196</a>
Authenticated clients with Write permission may bypass transaction/idempotent
ACL validation</h2>
<p>In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to
manually
craft a Produce request which bypasses transaction/idempotent ACL validation.
@@ -302,7 +302,7 @@ where this vulnerability has been fixed.</p>
</tbody>
</table>
-<h2><a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288";>CVE-2018-1288</a>
+<h2 id="CVE-2018-1288"><a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288";>CVE-2018-1288</a>
Authenticated Kafka clients may interfere with data replication</h2>
<p>Authenticated Kafka users may perform action reserved for the Broker via a
manually created fetch request
@@ -330,7 +330,7 @@ interfering with data replication, resulting in data
loss.</p>
</table>
-<h2><a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12610";>CVE-2017-12610</a>
+<h2 id="CVE-2017-12610"><a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12610";>CVE-2017-12610</a>
Authenticated Kafka clients may impersonate other users</h2>
<p>Authenticated Kafka clients may use impersonation via a manually crafted
protocol message with SASL/PLAIN or SASL/SCRAM
diff --git a/downloads.html b/downloads.html
index 1e8b5579..d4539d11 100644
--- a/downloads.html
+++ b/downloads.html
@@ -36,7 +36,7 @@
</ul>
<p>
- Kafka 3.2.3 fixes 7 issues since the 3.2.1 release.
+ Kafka 3.2.3 fixes <a href="cve-list#CVE-2022-34917">CVE-2022-34917</a>
and 7 other issues since the 3.2.1 release.
For more information, please read the detailed <a
href="https://downloads.apache.org/kafka/3.2.3/RELEASE_NOTES.html";>Release
Notes</a>.
</p>
@@ -144,7 +144,7 @@
</ul>
<p>
- Kafka 3.1.2 fixes 4 issues since the 3.1.1 release.
+ Kafka 3.1.2 fixes <a href="cve-list#CVE-2022-34917">CVE-2022-34917</a>
and 4 other issues since the 3.1.1 release.
For more information, please read the detailed <a
href="https://downloads.apache.org/kafka/3.1.2/RELEASE_NOTES.html";>Release
Notes</a>.
</p>
@@ -246,7 +246,7 @@
</ul>
<p>
- Kafka 3.0.2 fixes 10 issues since the 3.0.1 release.
+ Kafka 3.0.2 fixes <a href="cve-list#CVE-2022-34917">CVE-2022-34917</a>
and 10 other issues since the 3.0.1 release.
For more information, please read the detailed <a
href="https://downloads.apache.org/kafka/3.0.2/RELEASE_NOTES.html";>Release
Notes</a>.
</p>
@@ -347,7 +347,7 @@
</ul>
<p>
- Kafka 2.8.2 fixes 11 issues since the 2.8.1 release.
+ Kafka 2.8.2 fixes <a href="cve-list#CVE-2022-34917">CVE-2022-34917</a>
and 11 other issues since the 2.8.1 release.
For more information, please read the detailed <a
href="https://archive.apache.org/dist/kafka/2.8.2/RELEASE_NOTES.html";>Release
Notes</a>.
</p>
