Hi Israel and all, The PR to add CVE-2022-23302 <https://github.com/advisories/GHSA-w9p3-5cr8-m3jj> and CVE-2022-23305 <https://github.com/advisories/GHSA-65fg-84f6-3jq3> is here: https://github.com/apache/kafka-site/pull/396
Welcome to review. Thank you. Luke On Sat, Jan 29, 2022 at 11:22 AM Israel Ekpo <israele...@gmail.com> wrote: > Thanks Luke for the prompt response > > +1 on the PR for the CVE page update > > You can cc me on the PR when it’s ready and I will take a look at it > > Thanks > > On Fri, Jan 28, 2022 at 9:44 PM Luke Chen <show...@gmail.com> wrote: > > > Hi Karupasamy, > > > > Thanks for your asking. Answering your question below: > > > > > 1. Are the CVEs *CVE-2022-23302, CVE-2022-23305* applicable to the > Apache > > Kafka? > > > > Unfortunately, yes, these 2 CVEs: *CVE-2022-23302, CVE-2022-23305* are > also > > applicable to the Apache Kafka, > > because that applied to log4j 1.x version. > > > > > If so, how to mitigate these vulnerabilities, and will be there be any > > patch/fix that will be released? > > > > Yes, the community is working on a KIP to upgrade log4j 1 to log4j 2. You > > can check its status here: KAFKA-9366 > > <https://issues.apache.org/jira/browse/KAFKA-9366> > > > > > > > 2. If not vulnerable, Can we remove the following vulnerable classes > from > > the log4j jar? > > > > > > > > zip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class > > > > zip -q -d log4j-*.jar > > org/apache/log4j/jdbc/JDBCAppender.class > > > > > > Yes, I think so. This is. Kafka doesn't use JMSSink or JDBCAppender at > all. > > > > > > > 3. Will there be any impact on Kafka's functionalities after removing > the > > above-mentioned classes? > > > > No. Kafka doesn't use JMSSink or JDBCAppender at all. > > > > > > I'm going to submit a PR to add these 2 CVEs into cve-list page: > > https://kafka.apache.org/cve-list. > > I think there should be other users have the same questions. > > > > Thank you. > > Luke > > > > > > On Fri, Jan 28, 2022 at 9:36 PM Karupasamy S > > <karupasam...@ericsson.com.invalid> wrote: > > > > > Hi Team, > > > > > > > > > > > > Kindly awaiting your response, as this issue needs to > be > > > mitigated before our product release to the market in the coming days. > > > > > > > > > > > > Thanks & Regards > > > > > > Karupasamy > > > > > > > > > > > > *From:* Karupasamy S > > > *Sent:* Thursday, January 27, 2022 4:12 PM > > > *To:* users@kafka.apache.org > > > *Cc:* Mariappan Thangavel <mariappan.thanga...@ericsson.com> > > > *Subject:* Apache log4j 1.x vulnerability mitigations on Kafka > > > > > > > > > > > > Hi Team, > > > > > > > > > > > > > > > > > > We are using Apache Kafka as part of the ELK stack and > we > > > have an internal tool to find the vulnerabilities present on all the > > > products/3pp which we use in our product. > > > > > > > > > > > > So we received the below vulnerabilities on log4j: > > > > > > > > > > > > * CVE-2022-23302, CVE-2022-23305, CVE-2022-23307* > > > > > > > > > > > > Since Kafka is using log4j internally we are also > > > applicable to these vulnerabilities. Hence our security team is asking > us > > > to mitigate these vulnerabilities before releasing our product to the > > > market. > > > > > > > > > > > > On analyzing further, we found for the CVE * > > > CVE-2022-23307*, there is a mitigation plan proposed by Kafka, in the > > > below-mentioned article: > > > > > > https://kafka.apache.org/cve-list > > > > > > > > > > > > > > > > > > But in the same article we, didn’t find any information > > > for the CVEs *CVE-2022-23302, CVE-2022-23305*. > > > > > > > > > > > > So kindly help us in clarifying the below queries: > > > > > > > > > > > > 1. Are the CVEs *CVE-2022-23302, CVE-2022-23305* applicable to the > > > Apache Kafka? If so, how to mitigate these vulnerabilities, and will > > be > > > there be any patch/fix that will be released? > > > > > > > > > > > > 1. If not vulnerable, Can we remove the following vulnerable classes > > > from the log4j jar? > > > > > > > > > > > > zip -q -d log4j-*.jar > org/apache/log4j/net/JMSSink.class > > > > > > zip -q -d log4j-*.jar > > > org/apache/log4j/jdbc/JDBCAppender.class > > > > > > > > > > > > 1. Will there be any impact on Kafka's functionalities after > removing > > > the above-mentioned classes? > > > > > > > > > > > > > > > > > > > > > > > > Thanks & Regards > > > > > > Karupasamy > > > > > > > > > > > > -- > Israel Ekpo > Lead Instructor, IzzyAcademy.com > https://www.youtube.com/c/izzyacademy > https://izzyacademy.com/ >
