[jira] [Commented] (KAFKA-15577) Reload4j | CVE-2022-45868

Bruno Cadonna (Jira) Wed, 11 Oct 2023 03:05:09 -0700


    [ 
https://issues.apache.org/jira/browse/KAFKA-15577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17773985#comment-17773985
 ]


Bruno Cadonna commented on KAFKA-15577:
---------------------------------------

The vulnerability is in the H2 database engine and not directly in reload4j. H2 
is a test dependency of reload4j. According to the [maven 
documentation|https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#dependency-scope]
 the test scope is not transitive. Kafka does not pull in the vulnerability 
through reload4j as you can see by running  the following command: 
{{./gradlew printAllDependencies | grep -C 4 ch.qos.reload4j}}

> Reload4j | CVE-2022-45868
> -------------------------
>
>                 Key: KAFKA-15577
>                 URL: https://issues.apache.org/jira/browse/KAFKA-15577
>             Project: Kafka
>          Issue Type: Bug
>            Reporter: masood
>            Priority: Critical
>
> Maven indicates 
> [CVE-2022-45868|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45868]
>  in Reload4j.jar.
> [https://mvnrepository.com/artifact/ch.qos.reload4j/reload4j/1.2.19]
> Could you please verify if this vulnerability affects Kafka?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (KAFKA-15577) Reload4j | CVE-2022-45868

Reply via email to