Pavel Kuznetsov created KAFKA-10245:
---------------------------------------
Summary: Using vulnerable log4j version
Key: KAFKA-10245
URL: https://issues.apache.org/jira/browse/KAFKA-10245
Project: Kafka
Issue Type: Bug
Components: core, KafkaConnect
Affects Versions: 2.5.0
Reporter: Pavel Kuznetsov
*Description*
I checked kafka_2.12-2.5.0.tgz distribution with WhiteSource and find out that
log4j version, that used in kafka-connect and kafka-brocker, has vulnerabilities
* log4j-1.2.17.jar has
[CVE-2019-17571|https://github.com/advisories/GHSA-2qrg-x229-3v8q] and
[CVE-2020-9488|https://github.com/advisories/GHSA-vwqq-5vrc-xw9h]
vulnerabilities. The way to fix it is to upgrade to
org.apache.logging.log4j:log4j-core:2.13.2
*To Reproduce*
Download kafka_2.12-2.5.0.tgz
Open libs folder in it and find log4j-1.2.17.jar.
Check [CVE-2019-17571|https://github.com/advisories/GHSA-2qrg-x229-3v8q] and
[CVE-2020-9488|https://github.com/advisories/GHSA-vwqq-5vrc-xw9h] to see that
log4j 1.2.17 is vulnerable.
*Expected*
* log4j is log4j-core 2.13.2 or higher
*Actual*
* log4j is 1.2.17
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
