[jira] [Commented] (KAFKA-10245) Using vulnerable log4j version

[Warren Grunbok (Jira)]

[ 
https://issues.apache.org/jira/browse/KAFKA-10245?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17478121#comment-17478121
 ] 

Warren Grunbok commented on KAFKA-10245:


expected would be log4j 2.17 or higher, not 2.13

> Using vulnerable log4j version
> --
>
> Key: KAFKA-10245
> URL: https://issues.apache.org/jira/browse/KAFKA-10245
> Project: Kafka
>  Issue Type: Bug
>  Components: core, KafkaConnect
>Affects Versions: 2.5.0
>Reporter: Pavel Kuznetsov
>Priority: Major
>  Labels: security
>
> *Description*
> I checked kafka_2.12-2.5.0.tgz distribution with WhiteSource and find out 
> that log4j version, that used in kafka-connect and kafka-brocker, has 
> vulnerabilities
>  * log4j-1.2.17.jar has 
> [CVE-2019-17571|https://github.com/advisories/GHSA-2qrg-x229-3v8q] and 
> [CVE-2020-9488|https://github.com/advisories/GHSA-vwqq-5vrc-xw9h] 
> vulnerabilities. The way to fix it is to upgrade to 
> org.apache.logging.log4j:log4j-core:2.13.2
> *To Reproduce*
> Download kafka_2.12-2.5.0.tgz
> Open libs folder in it and find log4j-1.2.17.jar.
> Check [CVE-2019-17571|https://github.com/advisories/GHSA-2qrg-x229-3v8q] and 
> [CVE-2020-9488|https://github.com/advisories/GHSA-vwqq-5vrc-xw9h] to see that 
> log4j 1.2.17 is vulnerable.
> *Expected*
>  * log4j is log4j-core 2.13.2 or higher
> *Actual*
>  * log4j is 1.2.17



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (KAFKA-9366) Upgrade log4j to log4j2

[Warren Grunbok (Jira)]

[ 
https://issues.apache.org/jira/browse/KAFKA-9366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17478116#comment-17478116
 ] 

Warren Grunbok commented on KAFKA-9366:
---

I'm also looking for an official release date with the latest log4j.  Also, 
what version will you be upgrading to?  Thank you for your help in this matter.

> Upgrade log4j to log4j2
> ---
>
> Key: KAFKA-9366
> URL: https://issues.apache.org/jira/browse/KAFKA-9366
> Project: Kafka
>  Issue Type: Bug
>  Components: core
>Affects Versions: 2.2.0, 2.1.1, 2.3.0, 2.4.0
>Reporter: leibo
>Assignee: Dongjin Lee
>Priority: Critical
>  Labels: needs-kip
> Fix For: 3.2.0
>
>
> h2. CVE-2019-17571 Detail
> Included in Log4j 1.2 is a SocketServer class that is vulnerable to 
> deserialization of untrusted data which can be exploited to remotely execute 
> arbitrary code when combined with a deserialization gadget when listening to 
> untrusted network traffic for log data. This affects Log4j versions up to 1.2 
> up to 1.2.17.
>  
> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571]
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)