Pavel Kuznetsov created KAFKA-10245: ---------------------------------------
Summary: Using vulnerable log4j version Key: KAFKA-10245 URL: https://issues.apache.org/jira/browse/KAFKA-10245 Project: Kafka Issue Type: Bug Components: core, KafkaConnect Affects Versions: 2.5.0 Reporter: Pavel Kuznetsov *Description* I checked kafka_2.12-2.5.0.tgz distribution with WhiteSource and find out that log4j version, that used in kafka-connect and kafka-brocker, has vulnerabilities * log4j-1.2.17.jar has [CVE-2019-17571|https://github.com/advisories/GHSA-2qrg-x229-3v8q] and [CVE-2020-9488|https://github.com/advisories/GHSA-vwqq-5vrc-xw9h] vulnerabilities. The way to fix it is to upgrade to org.apache.logging.log4j:log4j-core:2.13.2 *To Reproduce* Download kafka_2.12-2.5.0.tgz Open libs folder in it and find log4j-1.2.17.jar. Check [CVE-2019-17571|https://github.com/advisories/GHSA-2qrg-x229-3v8q] and [CVE-2020-9488|https://github.com/advisories/GHSA-vwqq-5vrc-xw9h] to see that log4j 1.2.17 is vulnerable. *Expected* * log4j is log4j-core 2.13.2 or higher *Actual* * log4j is 1.2.17 -- This message was sent by Atlassian Jira (v8.3.4#803005)