This is an automated email from the ASF dual-hosted git repository.
showuon pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/kafka-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new a2ad775 MINOR: Add CVE-2022-23302 and CVE-2022-23305 to cve-list
(#396)
a2ad775 is described below
commit a2ad775f3c0d2d04743d5880bed4465f22203b1c
Author: Luke Chen <[email protected]>
AuthorDate: Sun Feb 13 10:25:30 2022 +0800
MINOR: Add CVE-2022-23302 and CVE-2022-23305 to cve-list (#396)
* add more info in the "adding to contributor list" section
* add CVE-2022-23302 and CVE-2022-23305 to cve-list
Reviewers: Jun Rao <[email protected]>, Israel Ekpo <[email protected]>
---
cve-list.html | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
diff --git a/cve-list.html b/cve-list.html
index d5f62ba..dbca288 100644
--- a/cve-list.html
+++ b/cve-list.html
@@ -9,6 +9,56 @@
This page lists all security vulnerabilities fixed in released versions of
Apache Kafka.
+<h2><a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-23302";>CVE-2022-23302</a>
Deserialization of Untrusted Data Flaw in JMSSink of Apache Log4j logging
library in versions 1.x</h2>
+
+ <p>This CVE identified a flaw where it allows the attacker to provide a
TopicConnectionFactoryBindingName configuration that will cause JMSSink to
perform JNDI requests that result in remote code execution in a similar fashion
to CVE-2021-4104.</p>
+
+ <table class="data-table">
+ <tbody>
+ <tr>
+ <td>Versions affected</td>
+ <td>All AK versions</td>
+ </tr>
+ <tr>
+ <td>Fixed versions</td>
+ <td>In the absence of a new log4j 1.x release, one can remove JMSSink
class from the log4j-1.2.17.jar artifact.</td>
+ </tr>
+ <tr>
+ <td>Impact</td>
+ <td>When the attacker has write access to the Log4j configuration or if
the configuration references an LDAP service the attacker has access to. The
attacker can provide a configuration causing JMSSink to perform JNDI requests
that result in remote code execution.</td>
+ </tr>
+ <tr>
+ <td>Issue announced</td>
+ <td>18 Jan 2022</td>
+ </tr>
+ </tbody>
+ </table>
+
+<h2><a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-23305";>CVE-2022-23305</a> SQL
injection Flaw in Apache Log4j logging library in versions 1.x</h2>
+
+ <p>This CVE identified a flaw where it allows a remote attacker to run SQL
statements in the database if the deployed application is configured to use
JDBCAppender with certain interpolation tokens.</p>
+
+ <table class="data-table">
+ <tbody>
+ <tr>
+ <td>Versions affected</td>
+ <td>All AK versions</td>
+ </tr>
+ <tr>
+ <td>Fixed versions</td>
+ <td>In the absence of a new log4j 1.x release, one can remove
JDBCAppender class from the log4j-1.2.17.jar artifact.</td>
+ </tr>
+ <tr>
+ <td>Impact</td>
+ <td>This issue could result in a SQL injection attack when the
application is configured to use JDBCAppender.</td>
+ </tr>
+ <tr>
+ <td>Issue announced</td>
+ <td>18 Jan 2022</td>
+ </tr>
+ </tbody>
+ </table>
+
<h2><a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-23307";>CVE-2022-23307</a>
Deserialization of Untrusted Data Flaw in Apache Log4j logging library in
versions 1.x</h2>
<p>This CVE identified a flaw where it allows an attacker to send a
malicious request with serialized data to the component running <code>log4j
1.x</code> to be deserialized when the chainsaw component is run. Chainsaw is a
standalone GUI for viewing log entries in log4j. An attacker not only needs to
be able to generate malicious log entries, but also, have the necessary access
and permissions to start chainsaw (or if it is already enabled by a customer /
consumer of Apache Kafka).</p>
