[KAFKA-10245] Using vulnerable log4j version - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Duplicate
Affects Version/s: 2.5.0
Fix Version/s: None
Component/s: connect, core
Labels:
- security

Description

Description
I checked kafka_2.12-2.5.0.tgz distribution with WhiteSource and find out that log4j version, that used in kafka-connect and kafka-brocker, has vulnerabilities

log4j-1.2.17.jar has CVE-2019-17571 and CVE-2020-9488 vulnerabilities. The way to fix it is to upgrade to org.apache.logging.log4j:log4j-core:2.13.2

To Reproduce
Download kafka_2.12-2.5.0.tgz
Open libs folder in it and find log4j-1.2.17.jar.
Check CVE-2019-17571 and CVE-2020-9488 to see that log4j 1.2.17 is vulnerable.

Expected

log4j is log4j-core 2.13.2 or higher

Actual

log4j is 1.2.17

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Pavel Kuznetsov

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 07/Jul/20 18:02

Updated:: 18/Jan/22 18:37

Resolved:: 08/Jul/20 07:50