Excellent Luke I will take a look shortly
On Fri, Jan 28, 2022 at 11:12 PM Luke Chen <show...@gmail.com> wrote: > Hi Israel and all, > > The PR to add CVE-2022-23302 > <https://github.com/advisories/GHSA-w9p3-5cr8-m3jj> and CVE-2022-23305 > <https://github.com/advisories/GHSA-65fg-84f6-3jq3> is here: > https://github.com/apache/kafka-site/pull/396 > > Welcome to review. > > Thank you. > Luke > > On Sat, Jan 29, 2022 at 11:22 AM Israel Ekpo <israele...@gmail.com> wrote: > > > Thanks Luke for the prompt response > > > > +1 on the PR for the CVE page update > > > > You can cc me on the PR when it’s ready and I will take a look at it > > > > Thanks > > > > On Fri, Jan 28, 2022 at 9:44 PM Luke Chen <show...@gmail.com> wrote: > > > > > Hi Karupasamy, > > > > > > Thanks for your asking. Answering your question below: > > > > > > > 1. Are the CVEs *CVE-2022-23302, CVE-2022-23305* applicable to the > > Apache > > > Kafka? > > > > > > Unfortunately, yes, these 2 CVEs: *CVE-2022-23302, CVE-2022-23305* are > > also > > > applicable to the Apache Kafka, > > > because that applied to log4j 1.x version. > > > > > > > If so, how to mitigate these vulnerabilities, and will be there be > any > > > patch/fix that will be released? > > > > > > Yes, the community is working on a KIP to upgrade log4j 1 to log4j 2. > You > > > can check its status here: KAFKA-9366 > > > <https://issues.apache.org/jira/browse/KAFKA-9366> > > > > > > > > > > 2. If not vulnerable, Can we remove the following vulnerable classes > > from > > > the log4j jar? > > > > > > > > > > > > zip -q -d log4j-*.jar > org/apache/log4j/net/JMSSink.class > > > > > > zip -q -d log4j-*.jar > > > org/apache/log4j/jdbc/JDBCAppender.class > > > > > > > > > Yes, I think so. This is. Kafka doesn't use JMSSink or JDBCAppender at > > all. > > > > > > > > > > 3. Will there be any impact on Kafka's functionalities after removing > > the > > > above-mentioned classes? > > > > > > No. Kafka doesn't use JMSSink or JDBCAppender at all. > > > > > > > > > I'm going to submit a PR to add these 2 CVEs into cve-list page: > > > https://kafka.apache.org/cve-list. > > > I think there should be other users have the same questions. > > > > > > Thank you. > > > Luke > > > > > > > > > On Fri, Jan 28, 2022 at 9:36 PM Karupasamy S > > > <karupasam...@ericsson.com.invalid> wrote: > > > > > > > Hi Team, > > > > > > > > > > > > > > > > Kindly awaiting your response, as this issue needs to > > be > > > > mitigated before our product release to the market in the coming > days. > > > > > > > > > > > > > > > > Thanks & Regards > > > > > > > > Karupasamy > > > > > > > > > > > > > > > > *From:* Karupasamy S > > > > *Sent:* Thursday, January 27, 2022 4:12 PM > > > > *To:* users@kafka.apache.org > > > > *Cc:* Mariappan Thangavel <mariappan.thanga...@ericsson.com> > > > > *Subject:* Apache log4j 1.x vulnerability mitigations on Kafka > > > > > > > > > > > > > > > > Hi Team, > > > > > > > > > > > > > > > > > > > > > > > > We are using Apache Kafka as part of the ELK stack > and > > we > > > > have an internal tool to find the vulnerabilities present on all the > > > > products/3pp which we use in our product. > > > > > > > > > > > > > > > > So we received the below vulnerabilities on log4j: > > > > > > > > > > > > > > > > * CVE-2022-23302, CVE-2022-23305, CVE-2022-23307* > > > > > > > > > > > > > > > > Since Kafka is using log4j internally we are also > > > > applicable to these vulnerabilities. Hence our security team is > asking > > us > > > > to mitigate these vulnerabilities before releasing our product to the > > > > market. > > > > > > > > > > > > > > > > On analyzing further, we found for the CVE * > > > > CVE-2022-23307*, there is a mitigation plan proposed by Kafka, in the > > > > below-mentioned article: > > > > > > > > https://kafka.apache.org/cve-list > > > > > > > > > > > > > > > > > > > > > > > > But in the same article we, didn’t find any > information > > > > for the CVEs *CVE-2022-23302, CVE-2022-23305*. > > > > > > > > > > > > > > > > So kindly help us in clarifying the below queries: > > > > > > > > > > > > > > > > 1. Are the CVEs *CVE-2022-23302, CVE-2022-23305* applicable to the > > > > Apache Kafka? If so, how to mitigate these vulnerabilities, and > will > > > be > > > > there be any patch/fix that will be released? > > > > > > > > > > > > > > > > 1. If not vulnerable, Can we remove the following vulnerable > classes > > > > from the log4j jar? > > > > > > > > > > > > > > > > zip -q -d log4j-*.jar > > org/apache/log4j/net/JMSSink.class > > > > > > > > zip -q -d log4j-*.jar > > > > org/apache/log4j/jdbc/JDBCAppender.class > > > > > > > > > > > > > > > > 1. Will there be any impact on Kafka's functionalities after > > removing > > > > the above-mentioned classes? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks & Regards > > > > > > > > Karupasamy > > > > > > > > > > > > > > > > > -- > > Israel Ekpo > > Lead Instructor, IzzyAcademy.com > > https://www.youtube.com/c/izzyacademy > > https://izzyacademy.com/ > > > -- Israel Ekpo Lead Instructor, IzzyAcademy.com https://www.youtube.com/c/izzyacademy https://izzyacademy.com/
