Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-10245

Using vulnerable log4j version

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 2.5.0
    • Fix Version/s: None
    • Component/s: core, KafkaConnect
    • Labels:

      Description

      Description
      I checked kafka_2.12-2.5.0.tgz distribution with WhiteSource and find out that log4j version, that used in kafka-connect and kafka-brocker, has vulnerabilities

      • log4j-1.2.17.jar has CVE-2019-17571 and CVE-2020-9488 vulnerabilities. The way to fix it is to upgrade to org.apache.logging.log4j:log4j-core:2.13.2

      To Reproduce
      Download kafka_2.12-2.5.0.tgz
      Open libs folder in it and find log4j-1.2.17.jar.
      Check CVE-2019-17571 and CVE-2020-9488 to see that log4j 1.2.17 is vulnerable.

      Expected

      • log4j is log4j-core 2.13.2 or higher

      Actual

      • log4j is 1.2.17

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              pavel-sbor Pavel Kuznetsov
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: