Security Vulnerabilities

2018-04-05 Thread Nikolaos Strongioglou 
Is there a list including Kafka's outstanding security vulnerability issues
like the ones posted in the majority of CVE databases. I am looking for
something like this -->
https://www.cvedetails.com/product/27453/Apache-Zookeeper.html?vendor_id=45

Kafka 1.0 process of security vulnerabilities

2017-12-14 Thread Lin Chen 
All:

We are deploying Kafka 1.0 as microservice.  I want to understand the process 
of security vulnerabilities in the Kafka project.  How the vulnerabilities are 
identified in addition to reported by users.  Are any tools used for static and 
dynamic scan?   Can the scan results be shared?


   Thanks

   Lin Chen
Genesys Laboratories Canada Inc.

1380 Rodick Road, Suite 201 2nd Floor
Markham, Ontario L3R 4G5
DID: (905) 968-3361
Main Tel.: (905) 968-3300 Fax: (905) 968-3400

Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image

2021-08-31 Thread Ashish Patil 
Hi Team

I wanted to use the 2.6.0 docker image for Kafka but It has lots of security 
vulnerabilities.
Please find the below list of security vulnerabilities
**
CVE-2021-36159
CVE-2020-25649<https://github.com/advisories/GHSA-288c-cq4h-88gq>
CVE-2021-22926
CVE-2021-22922
CVE-2021-22924
CVE-2021-22922
CVE-2021-22924
CVE-2021-31535
CVE-2019-17571<https://github.com/advisories/GHSA-2qrg-x229-3v8q>
**

I did raise this issue here 
https://github.com/wurstmeister/kafka-docker/issues/681 but it looks like the 
issue is within the Kafka binary.

[cid:image001.png@01D79EAB.B342BA90]

Do we have any plan to fix this in the coming version or any suggestions around 
this?
Thanks
Ashish

Do the Jackson security vulnerabilities affect Kafka at all?

2018-02-20 Thread Jeff Widman 
The Jackson JSON parser library had a couple of CVE's announced:
1. CVE-2017-7525
2. CVE 2017-15095

Here's a skimmable summary:
https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/

Looking at the source, it appears Kafka uses an older version of Jackson
which has the vulnerabilities.

However, these vulnerabilities only happen when Jackson is used in specific
ways. I'm not familiar enough with all the places that Kafka uses Jackson
to understand whether Kafka is susceptible, and I come from a non-Java
background so it's difficult for me to parse the Java source with 100%
confidence that I understand what's happening.

I know primarily Kafka uses JSON for inter-cluster communication through
Zookeeper, so if an attacker could access Zookeeper could they update the
znode payloads to exploit this? Additionally, I think there are some util
scripts that (de)serialize JSON files, for example the
partition-reassignment scripts...

So do these CVE's apply to Kafka?

If so, it seem the patch is fairly trivial of just upgrading to a newer
version of Jackson...
should this also be backported to the 1.0.1 release?



-- 

*Jeff Widman*
jeffwidman.com  | 740-WIDMAN-J (943-6265)
<><

Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image

2021-08-31 Thread Luke Chen 
Hi Ashish,
I suggested that you upgrade to V2.8.
I checked 2 of the CVEs, and are fixed (or not used, like libfetch) in
V2.8.
If you still found the CVEs existed in V2.8, please raise it.

Thank you.
Luke




On Wed, Sep 1, 2021 at 4:07 AM Ashish Patil  wrote:

> Hi Team
>
> I wanted to use the 2.6.0 docker image for Kafka but It has lots of
> security vulnerabilities.
> Please find the below list of security vulnerabilities
> **
> CVE-2021-36159
> CVE-2020-25649 <https://github.com/advisories/GHSA-288c-cq4h-88gq>
> CVE-2021-22926
> CVE-2021-22922
> CVE-2021-22924
> CVE-2021-22922
> CVE-2021-22924
> CVE-2021-31535
> CVE-2019-17571 <https://github.com/advisories/GHSA-2qrg-x229-3v8q>
> **
>
> I did raise this issue here
> https://github.com/wurstmeister/kafka-docker/issues/681 but it looks like
> the issue is within the Kafka binary.
>
> Do we have any plan to fix this in the coming version or any suggestions
> around this?
>
> Thanks
>
> Ashish
>

Re: Do the Jackson security vulnerabilities affect Kafka at all?

2018-02-20 Thread Ismael Juma 
Hi Jeff,

Have you checked trunk and 1.1? They should be using the latest version.

Ismael

On Tue, Feb 20, 2018 at 10:38 PM, Jeff Widman  wrote:

> The Jackson JSON parser library had a couple of CVE's announced:
> 1. CVE-2017-7525
> 2. CVE 2017-15095
>
> Here's a skimmable summary:
> https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
>
> Looking at the source, it appears Kafka uses an older version of Jackson
> which has the vulnerabilities.
>
> However, these vulnerabilities only happen when Jackson is used in specific
> ways. I'm not familiar enough with all the places that Kafka uses Jackson
> to understand whether Kafka is susceptible, and I come from a non-Java
> background so it's difficult for me to parse the Java source with 100%
> confidence that I understand what's happening.
>
> I know primarily Kafka uses JSON for inter-cluster communication through
> Zookeeper, so if an attacker could access Zookeeper could they update the
> znode payloads to exploit this? Additionally, I think there are some util
> scripts that (de)serialize JSON files, for example the
> partition-reassignment scripts...
>
> So do these CVE's apply to Kafka?
>
> If so, it seem the patch is fairly trivial of just upgrading to a newer
> version of Jackson...
> should this also be backported to the 1.0.1 release?
>
>
>
> --
>
> *Jeff Widman*
> jeffwidman.com  | 740-WIDMAN-J (943-6265)
> <><
>

Re: Do the Jackson security vulnerabilities affect Kafka at all?

2018-02-21 Thread Jeff Widman 
My bad, I forgot I had checked out the 1.0.1 source which has Jackson
2.9.1...

I thought the fix required 2.9.3 based on what I'd been told by the
security team at a customer (the original motivation behind my email), but
I dug a bit deeper and it looks like 2.9.1 has the patch
,
so 1.0.1 is already protected against this.

Thanks Ismael, and my apologies for wasting everyone's time.



On Tue, Feb 20, 2018 at 11:49 PM, Ismael Juma  wrote:

> Hi Jeff,
>
> Have you checked trunk and 1.1? They should be using the latest version.
>
> Ismael
>
> On Tue, Feb 20, 2018 at 10:38 PM, Jeff Widman  wrote:
>
> > The Jackson JSON parser library had a couple of CVE's announced:
> > 1. CVE-2017-7525
> > 2. CVE 2017-15095
> >
> > Here's a skimmable summary:
> > https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
> >
> > Looking at the source, it appears Kafka uses an older version of Jackson
> > which has the vulnerabilities.
> >
> > However, these vulnerabilities only happen when Jackson is used in
> specific
> > ways. I'm not familiar enough with all the places that Kafka uses Jackson
> > to understand whether Kafka is susceptible, and I come from a non-Java
> > background so it's difficult for me to parse the Java source with 100%
> > confidence that I understand what's happening.
> >
> > I know primarily Kafka uses JSON for inter-cluster communication through
> > Zookeeper, so if an attacker could access Zookeeper could they update the
> > znode payloads to exploit this? Additionally, I think there are some util
> > scripts that (de)serialize JSON files, for example the
> > partition-reassignment scripts...
> >
> > So do these CVE's apply to Kafka?
> >
> > If so, it seem the patch is fairly trivial of just upgrading to a newer
> > version of Jackson...
> > should this also be backported to the 1.0.1 release?
> >
> >
> >
> > --
> >
> > *Jeff Widman*
> > jeffwidman.com  | 740-WIDMAN-J (943-6265)
> > <><
> >
>



-- 

*Jeff Widman*
jeffwidman.com  | 740-WIDMAN-J (943-6265)
<><

[jira] [Resolved] (KAFKA-9996) upgrade zookeeper to 3.5.8 to address security vulnerabilities

2020-07-18 Thread Ismael Juma (Jira) 


 [ 
https://issues.apache.org/jira/browse/KAFKA-9996?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ismael Juma resolved KAFKA-9996.

Fix Version/s: 2.5.1
   2.4.2
   2.6.0
   Resolution: Fixed

> upgrade zookeeper to 3.5.8 to address security vulnerabilities
> --
>
> Key: KAFKA-9996
> URL: https://issues.apache.org/jira/browse/KAFKA-9996
> Project: Kafka
>  Issue Type: Bug
>  Components: packaging
>Affects Versions: 2.5.0
>Reporter: Emanuele Maccherani
>Assignee: Ismael Juma
>Priority: Major
> Fix For: 2.6.0, 2.4.2, 2.5.1
>
>
> Kafka is now using zookeeper 3.5.7, which is affected by CVE-2020-8840 and 
> CVE-2020-9488. Those 2 are resolved in 3.5.8.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

RE: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image

2021-09-01 Thread Ashish Patil 
Hi Team

I tried upgrading it to 2.13_2.8.0 but still have these vulnerabilities.

[cid:image003.jpg@01D79F3D.5BA06A20]

What is your suggestion on this?

Thanks
Ashish

From: Jake Murphy Smith 
Sent: 01 September 2021 09:31
To: Ashish Patil 
Subject: RE: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 
docker image



From: Luke Chen mailto:show...@gmail.com>>
Sent: 01 September 2021 04:11
To: Kafka Users mailto:us...@kafka.apache.org>>
Cc: dev@kafka.apache.org<mailto:dev@kafka.apache.org>; Jake Murphy Smith 
mailto:jake.murphysm...@gm.com>>
Subject: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 
docker image

ATTENTION: This email originated from outside of GM.



Hi Ashish,
I suggested that you upgrade to V2.8.
I checked 2 of the CVEs, and are fixed (or not used, like libfetch) in V2.8.
If you still found the CVEs existed in V2.8, please raise it.

Thank you.
Luke




On Wed, Sep 1, 2021 at 4:07 AM Ashish Patil 
mailto:ashish.pa...@gm.com>> wrote:

Hi Team

I wanted to use the 2.6.0 docker image for Kafka but It has lots of security 
vulnerabilities.
Please find the below list of security vulnerabilities
**
CVE-2021-36159
CVE-2020-25649<https://github.com/advisories/GHSA-288c-cq4h-88gq>
CVE-2021-22926
CVE-2021-22922
CVE-2021-22924
CVE-2021-22922
CVE-2021-22924
CVE-2021-31535
CVE-2019-17571<https://github.com/advisories/GHSA-2qrg-x229-3v8q>
**

I did raise this issue here 
https://github.com/wurstmeister/kafka-docker/issues/681 but it looks like the 
issue is within the Kafka binary.



Do we have any plan to fix this in the coming version or any suggestions around 
this?
Thanks
Ashish

Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image

2021-09-01 Thread Luke Chen 
Hi Ashish,

CVE-2021-36159: It's a libfetch lib vulnerability. It's not Kafka's
dependency lib. I guess it's the docker's base OS image.
CVE-2019-17571: a log4j vulnerability. KAFKA-9366
<https://issues.apache.org/jira/browse/KAFKA-9366> is working on it.

Thank you.
Luke

On Wed, Sep 1, 2021 at 9:26 PM Ashish Patil  wrote:

> Hi Team
>
>
>
> I tried upgrading it to 2.13_2.8.0 but still have these vulnerabilities.
>
>
>
>
>
> What is your suggestion on this?
>
>
>
> Thanks
>
> Ashish
>
>
>
> *From:* Jake Murphy Smith 
> *Sent:* 01 September 2021 09:31
> *To:* Ashish Patil 
> *Subject:* RE: [EXTERNAL] Re: Security vulnerabilities in
> kafka:2.13-2.6.0/2.7.0 docker image
>
>
>
>
>
>
>
> *From:* Luke Chen 
> *Sent:* 01 September 2021 04:11
> *To:* Kafka Users 
> *Cc:* dev@kafka.apache.org; Jake Murphy Smith 
> *Subject:* [EXTERNAL] Re: Security vulnerabilities in
> kafka:2.13-2.6.0/2.7.0 docker image
>
>
>
> *ATTENTION:* This email originated from outside of GM.
>
>
>
>
> Hi Ashish,
>
> I suggested that you upgrade to V2.8.
>
> I checked 2 of the CVEs, and are fixed (or not used, like libfetch) in
> V2.8.
>
> If you still found the CVEs existed in V2.8, please raise it.
>
>
>
> Thank you.
>
> Luke
>
>
>
>
>
>
>
>
>
> On Wed, Sep 1, 2021 at 4:07 AM Ashish Patil  wrote:
>
> Hi Team
>
> I wanted to use the 2.6.0 docker image for Kafka but It has lots of
> security vulnerabilities.
> Please find the below list of security vulnerabilities
> **
> CVE-2021-36159
> CVE-2020-25649 <https://github.com/advisories/GHSA-288c-cq4h-88gq>
> CVE-2021-22926
> CVE-2021-22922
> CVE-2021-22924
> CVE-2021-22922
> CVE-2021-22924
> CVE-2021-31535
> CVE-2019-17571 <https://github.com/advisories/GHSA-2qrg-x229-3v8q>
> **
>
> I did raise this issue here
> https://github.com/wurstmeister/kafka-docker/issues/681 but it looks like
> the issue is within the Kafka binary.
>
>
>
> Do we have any plan to fix this in the coming version or any suggestions
> around this?
>
> Thanks
>
> Ashish
>
>

[jira] [Resolved] (KAFKA-14206) Upgrade zookeeper to 3.7.1 to address security vulnerabilities

2023-08-21 Thread Mickael Maison (Jira) 


 [ 
https://issues.apache.org/jira/browse/KAFKA-14206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mickael Maison resolved KAFKA-14206.

Fix Version/s: 3.5.0
   Resolution: Fixed

Kafka 3.5.0 uses ZooKeeper 3.6.4

> Upgrade zookeeper to 3.7.1 to address security vulnerabilities
> --
>
> Key: KAFKA-14206
> URL: https://issues.apache.org/jira/browse/KAFKA-14206
> Project: Kafka
>  Issue Type: Improvement
>  Components: packaging
>Affects Versions: 3.2.1
>Reporter: Valeriy Kassenbayev
>Priority: Blocker
> Fix For: 3.5.0
>
>
> Kafka 3.2.1 is using ZooKeeper, which is affected by 
> [CVE-2021-37136|https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584064] and 
> [CVE-2021-37137:|https://www.cve.org/CVERecord?id=CVE-2021-37137]
> {code:java}
>   ✗ Denial of Service (DoS) [High 
> Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584063] in 
> io.netty:netty-codec@4.1.63.Final
>     introduced by org.apache.kafka:kafka_2.13@3.2.1 > 
> org.apache.zookeeper:zookeeper@3.6.3 > io.netty:netty-handler@4.1.63.Final > 
> io.netty:netty-codec@4.1.63.Final
>   This issue was fixed in versions: 4.1.68.Final
>   ✗ Denial of Service (DoS) [High 
> Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584064] in 
> io.netty:netty-codec@4.1.63.Final
>     introduced by org.apache.kafka:kafka_2.13@3.2.1 > 
> org.apache.zookeeper:zookeeper@3.6.3 > io.netty:netty-handler@4.1.63.Final > 
> io.netty:netty-codec@4.1.63.Final
>   This issue was fixed in versions: 4.1.68.Final {code}
> The issues were fixed in the next versions of ZooKeeper (starting from 
> 3.6.4). ZooKeeper 3.7.1 is the next stable 
> [release|https://zookeeper.apache.org/releases.html] at the moment.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (KAFKA-9996) upgrade zookeeper to 3.5.8 to address security vulnerabilities

2020-05-14 Thread Emanuele Maccherani (Jira) 
Emanuele Maccherani created KAFKA-9996:
--

 Summary: upgrade zookeeper to 3.5.8 to address security 
vulnerabilities
 Key: KAFKA-9996
 URL: https://issues.apache.org/jira/browse/KAFKA-9996
 Project: Kafka
  Issue Type: Bug
  Components: packaging
Affects Versions: 2.5.0
Reporter: Emanuele Maccherani


Kafka is now using zookeeper 3.5.7, which is affected by CVE-2020-8840 and 
CVE-2020-9488. Those 2 are resolved in 3.5.8.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (KAFKA-14206) Upgrade zookeeper to 3.7.1 to address security vulnerabilities

2022-09-07 Thread Valeriy Kassenbayev (Jira) 
Valeriy Kassenbayev created KAFKA-14206:
---

 Summary: Upgrade zookeeper to 3.7.1 to address security 
vulnerabilities
 Key: KAFKA-14206
 URL: https://issues.apache.org/jira/browse/KAFKA-14206
 Project: Kafka
  Issue Type: Improvement
  Components: packaging
Affects Versions: 3.2.1
Reporter: Valeriy Kassenbayev


Kafka 3.2.1 is using ZooKeeper, which is affected by 
[CVE-2021-37136|https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584064] and 
[CVE-2021-37137:|https://www.cve.org/CVERecord?id=CVE-2021-37137]
{code:java}
  ✗ Denial of Service (DoS) [High 
Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584063] in 
io.netty:netty-codec@4.1.63.Final
    introduced by org.apache.kafka:kafka_2.13@3.2.1 > 
org.apache.zookeeper:zookeeper@3.6.3 > io.netty:netty-handler@4.1.63.Final > 
io.netty:netty-codec@4.1.63.Final
  This issue was fixed in versions: 4.1.68.Final
  ✗ Denial of Service (DoS) [High 
Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584064] in 
io.netty:netty-codec@4.1.63.Final
    introduced by org.apache.kafka:kafka_2.13@3.2.1 > 
org.apache.zookeeper:zookeeper@3.6.3 > io.netty:netty-handler@4.1.63.Final > 
io.netty:netty-codec@4.1.63.Final
  This issue was fixed in versions: 4.1.68.Final {code}
The issues were fixed in the next versions of ZooKeeper (starting from 3.6.4). 
ZooKeeper 3.7.1 is the next stable 
[release|https://zookeeper.apache.org/releases.html] at the moment.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Reopened] (KAFKA-14206) Upgrade zookeeper to 3.7.1 to address security vulnerabilities

2023-02-27 Thread Valeriy Kassenbayev (Jira) 


 [ 
https://issues.apache.org/jira/browse/KAFKA-14206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Valeriy Kassenbayev reopened KAFKA-14206:
-

Still have the same CVEs reported:
{code:java}
  ✗ Denial of Service (DoS) [High 
Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584063] in 
io.netty:netty-codec@4.1.63.Final
    introduced by org.apache.kafka:kafka_2.13@3.4.0 > 
org.apache.zookeeper:zookeeper@3.6.3 > io.netty:netty-handler@4.1.63.Final > 
io.netty:netty-codec@4.1.63.Final
  This issue was fixed in versions: 4.1.68.Final
  ✗ Denial of Service (DoS) [High 
Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584064] in 
io.netty:netty-codec@4.1.63.Final
    introduced by org.apache.kafka:kafka_2.13@3.4.0 > 
org.apache.zookeeper:zookeeper@3.6.3 > io.netty:netty-handler@4.1.63.Final > 
io.netty:netty-codec@4.1.63.Final
  This issue was fixed in versions: 4.1.68.Final {code}
ZooKeeper does not seem to have been upgraded:
{code:java}
[mac /tmp]# tar tzf kafka_2.13-3.4.0.tgz | grep -i libs/zookeeper
kafka_2.13-3.4.0/libs/zookeeper-3.6.3.jar
kafka_2.13-3.4.0/libs/zookeeper-jute-3.6.3.jar
[mac /tmp]# {code}

> Upgrade zookeeper to 3.7.1 to address security vulnerabilities
> --
>
> Key: KAFKA-14206
> URL: https://issues.apache.org/jira/browse/KAFKA-14206
> Project: Kafka
>  Issue Type: Improvement
>  Components: packaging
>Affects Versions: 3.2.1
>Reporter: Valeriy Kassenbayev
>Assignee: Luke Chen
>Priority: Blocker
> Fix For: 3.4.0
>
>
> Kafka 3.2.1 is using ZooKeeper, which is affected by 
> [CVE-2021-37136|https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584064] and 
> [CVE-2021-37137:|https://www.cve.org/CVERecord?id=CVE-2021-37137]
> {code:java}
>   ✗ Denial of Service (DoS) [High 
> Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584063] in 
> io.netty:netty-codec@4.1.63.Final
>     introduced by org.apache.kafka:kafka_2.13@3.2.1 > 
> org.apache.zookeeper:zookeeper@3.6.3 > io.netty:netty-handler@4.1.63.Final > 
> io.netty:netty-codec@4.1.63.Final
>   This issue was fixed in versions: 4.1.68.Final
>   ✗ Denial of Service (DoS) [High 
> Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1584064] in 
> io.netty:netty-codec@4.1.63.Final
>     introduced by org.apache.kafka:kafka_2.13@3.2.1 > 
> org.apache.zookeeper:zookeeper@3.6.3 > io.netty:netty-handler@4.1.63.Final > 
> io.netty:netty-codec@4.1.63.Final
>   This issue was fixed in versions: 4.1.68.Final {code}
> The issues were fixed in the next versions of ZooKeeper (starting from 
> 3.6.4). ZooKeeper 3.7.1 is the next stable 
> [release|https://zookeeper.apache.org/releases.html] at the moment.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (KAFKA-14137) Security Vulnerabilities reported in CVE-2021-45046 and CVE-2021-45046

2022-08-03 Thread venkat (Jira) 
venkat created KAFKA-14137:
--

 Summary: Security Vulnerabilities reported in CVE-2021-45046 and 
CVE-2021-45046
 Key: KAFKA-14137
 URL: https://issues.apache.org/jira/browse/KAFKA-14137
 Project: Kafka
  Issue Type: Improvement
  Components: KafkaConnect
 Environment: Production
Reporter: venkat


Security vulnerabilties issues reported in CVE-2021-45046 and CVE-2021-45046

VUL0094706 -QID-376209: Apache Log4j Remote Code Execution (RCE) Vulnerability 
(CVE-2021-44832)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Resolved] (KAFKA-14137) Security Vulnerabilities reported in CVE-2021-45046 and CVE-2021-45046

2022-10-18 Thread Greg Harris (Jira) 


 [ 
https://issues.apache.org/jira/browse/KAFKA-14137?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Greg Harris resolved KAFKA-14137.
-
Resolution: Fixed

> Security Vulnerabilities reported in CVE-2021-45046 and CVE-2021-45046
> --
>
> Key: KAFKA-14137
> URL: https://issues.apache.org/jira/browse/KAFKA-14137
> Project: Kafka
>  Issue Type: Improvement
>  Components: KafkaConnect
> Environment: Production
>Reporter: venkat
>Priority: Critical
>
> Security vulnerabilties issues reported in CVE-2021-45046 and CVE-2021-45046
> VUL0094706 -QID-376209: Apache Log4j Remote Code Execution (RCE) 
> Vulnerability (CVE-2021-44832)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)