[
https://issues.apache.org/jira/browse/KAFKA-10245?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17478121#comment-17478121
]
Warren Grunbok commented on KAFKA-10245:
expected would be log4j 2.17 or higher, not 2.13
> Using vulnerable log4j version
> --
>
> Key: KAFKA-10245
> URL: https://issues.apache.org/jira/browse/KAFKA-10245
> Project: Kafka
> Issue Type: Bug
> Components: core, KafkaConnect
>Affects Versions: 2.5.0
>Reporter: Pavel Kuznetsov
>Priority: Major
> Labels: security
>
> *Description*
> I checked kafka_2.12-2.5.0.tgz distribution with WhiteSource and find out
> that log4j version, that used in kafka-connect and kafka-brocker, has
> vulnerabilities
> * log4j-1.2.17.jar has
> [CVE-2019-17571|https://github.com/advisories/GHSA-2qrg-x229-3v8q] and
> [CVE-2020-9488|https://github.com/advisories/GHSA-vwqq-5vrc-xw9h]
> vulnerabilities. The way to fix it is to upgrade to
> org.apache.logging.log4j:log4j-core:2.13.2
> *To Reproduce*
> Download kafka_2.12-2.5.0.tgz
> Open libs folder in it and find log4j-1.2.17.jar.
> Check [CVE-2019-17571|https://github.com/advisories/GHSA-2qrg-x229-3v8q] and
> [CVE-2020-9488|https://github.com/advisories/GHSA-vwqq-5vrc-xw9h] to see that
> log4j 1.2.17 is vulnerable.
> *Expected*
> * log4j is log4j-core 2.13.2 or higher
> *Actual*
> * log4j is 1.2.17
--
This message was sent by Atlassian Jira
(v8.20.1#820001)