Description
Description
I checked kafka_2.12-2.5.0.tgz distribution with WhiteSource and find out that log4j version, that used in kafka-connect and kafka-brocker, has vulnerabilities
- log4j-1.2.17.jar has CVE-2019-17571 and CVE-2020-9488 vulnerabilities. The way to fix it is to upgrade to org.apache.logging.log4j:log4j-core:2.13.2
To Reproduce
Download kafka_2.12-2.5.0.tgz
Open libs folder in it and find log4j-1.2.17.jar.
Check CVE-2019-17571 and CVE-2020-9488 to see that log4j 1.2.17 is vulnerable.
Expected
- log4j is log4j-core 2.13.2 or higher
Actual
- log4j is 1.2.17