[ https://issues.apache.org/jira/browse/KAFKA-9366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17486380#comment-17486380 ]
Indupriya edited comment on KAFKA-9366 at 2/3/22, 12:29 PM: ------------------------------------------------------------ Hi [~dongjin] , You mean The patch you have released ,will resolve all the critical vulnerabilities along with CVE-2019-17571 ..............? was (Author: JIRAUSER284624): Can Anyone suggests fix for this vulnerabilities in kafka by the use of log4j-1.2.17.....? > Upgrade log4j to log4j2 > ----------------------- > > Key: KAFKA-9366 > URL: https://issues.apache.org/jira/browse/KAFKA-9366 > Project: Kafka > Issue Type: Bug > Components: core > Affects Versions: 2.2.0, 2.1.1, 2.3.0, 2.4.0 > Reporter: leibo > Assignee: Dongjin Lee > Priority: Critical > Labels: needs-kip > Fix For: 3.2.0 > > > h2. CVE-2019-17571 Detail > Included in Log4j 1.2 is a SocketServer class that is vulnerable to > deserialization of untrusted data which can be exploited to remotely execute > arbitrary code when combined with a deserialization gadget when listening to > untrusted network traffic for log data. This affects Log4j versions up to 1.2 > up to 1.2.17. > > [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571] > -- This message was sent by Atlassian Jira (v8.20.1#820001)