Thanks Luke for the prompt response +1 on the PR for the CVE page update
You can cc me on the PR when it’s ready and I will take a look at it Thanks On Fri, Jan 28, 2022 at 9:44 PM Luke Chen <show...@gmail.com> wrote: > Hi Karupasamy, > > Thanks for your asking. Answering your question below: > > > 1. Are the CVEs *CVE-2022-23302, CVE-2022-23305* applicable to the Apache > Kafka? > > Unfortunately, yes, these 2 CVEs: *CVE-2022-23302, CVE-2022-23305* are also > applicable to the Apache Kafka, > because that applied to log4j 1.x version. > > > If so, how to mitigate these vulnerabilities, and will be there be any > patch/fix that will be released? > > Yes, the community is working on a KIP to upgrade log4j 1 to log4j 2. You > can check its status here: KAFKA-9366 > <https://issues.apache.org/jira/browse/KAFKA-9366> > > > > 2. If not vulnerable, Can we remove the following vulnerable classes from > the log4j jar? > > > > zip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class > > zip -q -d log4j-*.jar > org/apache/log4j/jdbc/JDBCAppender.class > > > Yes, I think so. This is. Kafka doesn't use JMSSink or JDBCAppender at all. > > > > 3. Will there be any impact on Kafka's functionalities after removing the > above-mentioned classes? > > No. Kafka doesn't use JMSSink or JDBCAppender at all. > > > I'm going to submit a PR to add these 2 CVEs into cve-list page: > https://kafka.apache.org/cve-list. > I think there should be other users have the same questions. > > Thank you. > Luke > > > On Fri, Jan 28, 2022 at 9:36 PM Karupasamy S > <karupasam...@ericsson.com.invalid> wrote: > > > Hi Team, > > > > > > > > Kindly awaiting your response, as this issue needs to be > > mitigated before our product release to the market in the coming days. > > > > > > > > Thanks & Regards > > > > Karupasamy > > > > > > > > *From:* Karupasamy S > > *Sent:* Thursday, January 27, 2022 4:12 PM > > *To:* users@kafka.apache.org > > *Cc:* Mariappan Thangavel <mariappan.thanga...@ericsson.com> > > *Subject:* Apache log4j 1.x vulnerability mitigations on Kafka > > > > > > > > Hi Team, > > > > > > > > > > > > We are using Apache Kafka as part of the ELK stack and we > > have an internal tool to find the vulnerabilities present on all the > > products/3pp which we use in our product. > > > > > > > > So we received the below vulnerabilities on log4j: > > > > > > > > * CVE-2022-23302, CVE-2022-23305, CVE-2022-23307* > > > > > > > > Since Kafka is using log4j internally we are also > > applicable to these vulnerabilities. Hence our security team is asking us > > to mitigate these vulnerabilities before releasing our product to the > > market. > > > > > > > > On analyzing further, we found for the CVE * > > CVE-2022-23307*, there is a mitigation plan proposed by Kafka, in the > > below-mentioned article: > > > > https://kafka.apache.org/cve-list > > > > > > > > > > > > But in the same article we, didn’t find any information > > for the CVEs *CVE-2022-23302, CVE-2022-23305*. > > > > > > > > So kindly help us in clarifying the below queries: > > > > > > > > 1. Are the CVEs *CVE-2022-23302, CVE-2022-23305* applicable to the > > Apache Kafka? If so, how to mitigate these vulnerabilities, and will > be > > there be any patch/fix that will be released? > > > > > > > > 1. If not vulnerable, Can we remove the following vulnerable classes > > from the log4j jar? > > > > > > > > zip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class > > > > zip -q -d log4j-*.jar > > org/apache/log4j/jdbc/JDBCAppender.class > > > > > > > > 1. Will there be any impact on Kafka's functionalities after removing > > the above-mentioned classes? > > > > > > > > > > > > > > > > Thanks & Regards > > > > Karupasamy > > > > > > > -- Israel Ekpo Lead Instructor, IzzyAcademy.com https://www.youtube.com/c/izzyacademy https://izzyacademy.com/
