[GitHub] [kafka-site] scott-confluent commented on a change in pull request #388: adding new CVEs to list
scott-confluent commented on a change in pull request #388: URL: https://github.com/apache/kafka-site/pull/388#discussion_r769105156 ## File path: cve-list.html ## @@ -9,6 +9,70 @@ Apache Kafka Security Vulnerabilities This page lists all security vulnerabilities fixed in released versions of Apache Kafka. +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228;>CVE-2021-44228 + Flaw in Apache Log4j logging library in versions from 2.0.0 and before 2.15.0 + + Some components in Apache Kafka use Log4j-v1.2.17 there is no dependence on Log4j v2.* + + https://logging.apache.org/log4j/2.x/manual/lookups.html;>Lookups feature was introduced in Log4j v2.x in order to allow specifying Log4j configuration parameters in arbitrary locations (even outside of the configuration files). Log4j v1.x does not offer the same functionality and thus is not vulnerable to https://access.redhat.com/security/cve/cve-2021-44228;>CVE-2021-44228. + Users should NOT be impacted by this vulnerability + + + + + Versions affected + org.apache.logging.log4j:log4j-core =2.0-beta9 and 2.15.0 + + + Fixed versions + NA + + + Impact + NA + + + Issue announced + 09 Dec 2021 + + + + +https://access.redhat.com/security/cve/CVE-2021-4104;>CVE-2021-4104 + Flaw in Apache Log4j logging library in versions 1.x + + The following components in Apache Kafka use Log4j-v1.2.17: broker, controller, zookeeper, connect, mirrormaker and tools. Clients may also be configured to use Log4j-v1.2.17. Review comment: Updated. Thanks for clarifying -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [kafka-site] scott-confluent commented on a change in pull request #388: adding new CVEs to list
scott-confluent commented on a change in pull request #388: URL: https://github.com/apache/kafka-site/pull/388#discussion_r769068111 ## File path: cve-list.html ## @@ -9,6 +9,63 @@ Apache Kafka Security Vulnerabilities This page lists all security vulnerabilities fixed in released versions of Apache Kafka. +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228;>CVE-2021-44228 + Flaw in Apache Log4j logging library in versions from 2.0.0 and before 2.15.0 + + Some components in Apache Kafka use Log4j-v1.2.17 there is no dependence on Log4j v2.* + + https://logging.apache.org/log4j/2.x/manual/lookups.html;>Lookups feature was introduced in Log4j v2.x in order to allow specifying Log4j configuration parameters in arbitrary locations (even outside of the configuration files). Log4j v1.x does not offer the same functionality and thus is not vulnerable to https://access.redhat.com/security/cve/cve-2021-44228;>CVE-2021-44228. + Users should NOT be impacted by this vulnerability + + + + + Versions affected + NA + + + Fixed versions + NA + + + Impact + NA + + + Issue announced + 09 Dec 2021 + + + + +https://access.redhat.com/security/cve/CVE-2021-4104;>CVE-2021-4104 + Flaw in Apache Log4j logging library in versions 1.x + + Some components in Apache Kafka use Log4j-v1.2.17 Review comment: Is this to update the last sentence of the first paragraph? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [kafka-site] scott-confluent commented on a change in pull request #388: adding new CVEs to list
scott-confluent commented on a change in pull request #388: URL: https://github.com/apache/kafka-site/pull/388#discussion_r768958081 ## File path: cve-list.html ## @@ -9,6 +9,63 @@ Apache Kafka Security Vulnerabilities This page lists all security vulnerabilities fixed in released versions of Apache Kafka. +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228;>CVE-2021-44228 + Flaw in Apache Log4j logging library in versions from 2.0.0 and before 2.15.0 + + Some components in Apache Kafka use Log4j-v1.2.17 there is no dependence on Log4j v2.* + + https://logging.apache.org/log4j/2.x/manual/lookups.html;>Lookups feature was introduced in Log4j v2.x in order to allow specifying Log4j configuration parameters in arbitrary locations (even outside of the configuration files). Log4j v1.x does not offer the same functionality and thus is not vulnerable to https://access.redhat.com/security/cve/cve-2021-44228;>CVE-2021-44228. + Users should NOT be impacted by this vulnerability + + + + + Versions affected + NA + + + Fixed versions + NA + + + Impact + NA + + + Issue announced + 09 Dec 2021 + + + + +https://access.redhat.com/security/cve/CVE-2021-4104;>CVE-2021-4104 + Flaw in Apache Log4j logging library in versions 1.x + + Some components in Apache Kafka use Log4j-v1.2.17 Review comment: Here it is with both updates: https://user-images.githubusercontent.com/66280178/146062124-bc90d370-91ed-40e7-a0c6-771c0bf9d856.png;> ## File path: cve-list.html ## @@ -9,6 +9,63 @@ Apache Kafka Security Vulnerabilities This page lists all security vulnerabilities fixed in released versions of Apache Kafka. +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228;>CVE-2021-44228 + Flaw in Apache Log4j logging library in versions from 2.0.0 and before 2.15.0 + + Some components in Apache Kafka use Log4j-v1.2.17 there is no dependence on Log4j v2.* + + https://logging.apache.org/log4j/2.x/manual/lookups.html;>Lookups feature was introduced in Log4j v2.x in order to allow specifying Log4j configuration parameters in arbitrary locations (even outside of the configuration files). Log4j v1.x does not offer the same functionality and thus is not vulnerable to https://access.redhat.com/security/cve/cve-2021-44228;>CVE-2021-44228. + Users should NOT be impacted by this vulnerability + + + + + Versions affected + NA + + + Fixed versions + NA + + + Impact + NA + + + Issue announced + 09 Dec 2021 + + + + +https://access.redhat.com/security/cve/CVE-2021-4104;>CVE-2021-4104 + Flaw in Apache Log4j logging library in versions 1.x + + Some components in Apache Kafka use Log4j-v1.2.17 + + Version 1.x of Log4J can be configured to use JMS Appender, which publishes log events to a JMS Topic. Log4j 1.x is vulnerable if the deployed application is configured to use JMSAppender. + + + + + Versions affected + All versions + + + Fixed versions + NA Review comment: Here it is with both updates: https://user-images.githubusercontent.com/66280178/146062124-bc90d370-91ed-40e7-a0c6-771c0bf9d856.png;> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [kafka-site] scott-confluent commented on a change in pull request #388: adding new CVEs to list
scott-confluent commented on a change in pull request #388: URL: https://github.com/apache/kafka-site/pull/388#discussion_r768941484 ## File path: cve-list.html ## @@ -9,6 +9,63 @@ Apache Kafka Security Vulnerabilities This page lists all security vulnerabilities fixed in released versions of Apache Kafka. +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228;>CVE-2021-44228 + Flaw in Apache Log4j logging library in versions from 2.0.0 and before 2.15.0 + + Some components in Apache Kafka use Log4j-v1.2.17 there is no dependence on Log4j v2.* + + https://logging.apache.org/log4j/2.x/manual/lookups.html;>Lookups feature was introduced in Log4j v2.x in order to allow specifying Log4j configuration parameters in arbitrary locations (even outside of the configuration files). Log4j v1.x does not offer the same functionality and thus is not vulnerable to https://access.redhat.com/security/cve/cve-2021-44228;>CVE-2021-44228. + Users should NOT be impacted by this vulnerability + + + + + Versions affected + NA + + + Fixed versions + NA + + + Impact + NA + + + Issue announced + 09 Dec 2021 + + + + +https://access.redhat.com/security/cve/CVE-2021-4104;>CVE-2021-4104 + Flaw in Apache Log4j logging library in versions 1.x + + Some components in Apache Kafka use Log4j-v1.2.17 Review comment: How does something like this sound? "Some components, including but not limited to: broker, controller, zookeeper, connect, mirrormaker, tools, and clients configured with log4j, use `Log4j-v1.2.17`" -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
