[jira] [Created] (KAFKA-15658) Zookeeper 3.6.3 jar | CVE-2023-44981
masood created KAFKA-15658: -- Summary: Zookeeper 3.6.3 jar | CVE-2023-44981 Key: KAFKA-15658 URL: https://issues.apache.org/jira/browse/KAFKA-15658 Project: Kafka Issue Type: Bug Reporter: masood The [CVE-2023-44981|https://www.mend.io/vulnerability-database/CVE-2023-44981] vulnerability has been reported in the zookeeper.jar. It's worth noting that the latest version of Kafka has a dependency on version 3.8.2 of Zookeeper, which is also impacted by this vulnerability. [https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper/3.8.2|https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper/3.8.2.] could you please verify its impact on the Kafka. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (KAFKA-15577) Reload4j | CVE-2022-45868
masood created KAFKA-15577: -- Summary: Reload4j | CVE-2022-45868 Key: KAFKA-15577 URL: https://issues.apache.org/jira/browse/KAFKA-15577 Project: Kafka Issue Type: Bug Reporter: masood Maven indicates [CVE-2022-45868|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45868] in Reload4j.jar. [https://mvnrepository.com/artifact/ch.qos.reload4j/reload4j/1.2.19] Could you please verify if this vulnerability affects Kafka? -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (KAFKA-14986) security vulnerability in jose4j-0.7.9.jar
masood created KAFKA-14986: -- Summary: security vulnerability in jose4j-0.7.9.jar Key: KAFKA-14986 URL: https://issues.apache.org/jira/browse/KAFKA-14986 Project: Kafka Issue Type: Bug Affects Versions: 3.3.1 Reporter: masood Kafka has a depenedency on the jose4j-0.7.9.jar jose4j-0.7.9.jar has been identified with the WS-2023-0116. [https://www.mend.io/vulnerability-database/WS-2023-0116] could you please confirm is Kafka impacted by this security vulnerability. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Resolved] (KAFKA-14389) CVE-2022-34917 | Fixed in 3.3.1
[ https://issues.apache.org/jira/browse/KAFKA-14389?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] masood resolved KAFKA-14389. Resolution: Fixed > CVE-2022-34917 | Fixed in 3.3.1 > --- > > Key: KAFKA-14389 > URL: https://issues.apache.org/jira/browse/KAFKA-14389 > Project: Kafka > Issue Type: Bug > Components: documentation >Affects Versions: 3.3.1 >Reporter: masood >Priority: Major > > the following link has not been updated with v3.3.1. > [https://kafka.apache.org/cve-list#CVE-2022-34917] > Its says the fixed is available until 3.2.3, so does it mean this CVE is > re-introduced in the v3.3.1. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (KAFKA-14389) CVE-2022-34917 | Fixed in 3.3.1
masood created KAFKA-14389: -- Summary: CVE-2022-34917 | Fixed in 3.3.1 Key: KAFKA-14389 URL: https://issues.apache.org/jira/browse/KAFKA-14389 Project: Kafka Issue Type: Bug Components: documentation Affects Versions: 3.3.1 Reporter: masood the following link has not been updated with v3.3.1. [https://kafka.apache.org/cve-list#CVE-2022-34917] Its says the fixed is available until 3.2.3, so does it mean this CVE is re-introduced in the v3.3.1. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (KAFKA-14387) kafka.common.KafkaException | kafka_2.12-3.3.1.jar
masood created KAFKA-14387: -- Summary: kafka.common.KafkaException | kafka_2.12-3.3.1.jar Key: KAFKA-14387 URL: https://issues.apache.org/jira/browse/KAFKA-14387 Project: Kafka Issue Type: Bug Components: core Affects Versions: 3.3.1 Reporter: masood It appears, Kafka.common.KafkaException is deprecated in kafka_2.12-3.3.1.jar. Please let me know which exception should be used. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (KAFKA-13547) Kafka - 1.0.0 | Remove log4j.jar
masood created KAFKA-13547: -- Summary: Kafka - 1.0.0 | Remove log4j.jar Key: KAFKA-13547 URL: https://issues.apache.org/jira/browse/KAFKA-13547 Project: Kafka Issue Type: Bug Reporter: masood We wanted to remove the log4j.jar but ended up with a dependency on the kafka.producer.ProducerConfig. Caused by: java.lang.NoClassDefFoundError: org/apache/log4j/Logger at kafka.utils.Logging.logger(Logging.scala:24) at kafka.utils.Logging.logger$(Logging.scala:24) at kafka.utils.VerifiableProperties.logger$lzycompute(VerifiableProperties.scala:27) at kafka.utils.VerifiableProperties.logger(VerifiableProperties.scala:27) at kafka.utils.Logging.info(Logging.scala:71) at kafka.utils.Logging.info$(Logging.scala:70) at kafka.utils.VerifiableProperties.info(VerifiableProperties.scala:27) at kafka.utils.VerifiableProperties.verify(VerifiableProperties.scala:218) at kafka.producer.ProducerConfig.(ProducerConfig.scala:61) Is there any configuration available which can resolve this error. -- This message was sent by Atlassian Jira (v8.20.1#820001)