Hi, The impact for the CVE-2022-22965? Since this is a RCE vulnerability, which means the whole system (including Kafka and ZK) is under the attackers' control, and can do whatever they want.
The ideal fix for this is to upgrade Spring Framework 5.3.18 and 5.2.20 or greater. Alternatively, you can have workarounds: 1. Upgrading Tomcat 2. Downgrading to Java 8 3. Disallowed Fields I think this blog from Spring community is very clear: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement Thank you. Luke On Mon, Apr 4, 2022 at 3:32 PM Kafka Life <lifekafka...@gmail.com> wrote: > Hi Kafka Experts > > Regarding the recent threat of vulnerability in spring framework , > CVE-2022-22965 vulnerability is SpringBoot (Java) for apache kafka and > Zookeeper. Could one of you suggest how Apache kafka and zk are impacted > and what should be the ideal fix for this . > > Vulnerability in the Spring Framework (CVE-2022-22965) | Information > Security Office (berkeley.edu) > < > https://security.berkeley.edu/news/vulnerability-spring-framework-cve-2022-22965 > > > > Critical alert – Spring4Shell RCE (CVE-2022-22965 in Spring) | Acunetix > < > https://www.acunetix.com/blog/web-security-zone/critical-alert-spring4shell-rce-cve-2022-22965-in-spring/ > > > > > Thanks in advance >
