Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-13594

In TNPM Wireline Project, vulnerability found in Log4j-1.2.17.jar under KAFKA directory

Details

    • Task
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 2.6.0
    • 2.6.0
    • log, logging
    • None
    • Important

    Description

      In TNPM wireline project, we used kafka2.6.x which is using Log4j-1.2.17.jar in which we found this JMSAppender.class.

      Is this class is vulnerable for Log4j-1.2.17.jar ?

      Could you please suggest any steps or refer to any document ?

      Attachments

        Activity

          junrao Jun Rao added a comment -

          Waseem_bhura : You can refer to https://kafka.apache.org/cve-list for this issue.

          junrao Jun Rao added a comment - Waseem_bhura : You can refer to https://kafka.apache.org/cve-list for this issue.
          Waseem_bhura Waseem added a comment -

          In our project we have separate installation of project and we have to add kafka as third party software and under kafka folder have log4j-1.2.17.jar file in which getting JMSAppender.class, which showing vulnerability according to sent link by you.

          after removing JMSAppender.class from Log4j-1.2.17.jar which is available in Kafka 2.6.0 version  does it impact on separate installed application?

          could you please suggest us ?

          Waseem_bhura Waseem added a comment - In our project we have separate installation of project and we have to add kafka as third party software and under kafka folder have log4j-1.2.17.jar file in which getting JMSAppender.class, which showing vulnerability according to sent link by you. after removing JMSAppender.class from Log4j-1.2.17.jar which is available in Kafka 2.6.0 version  does it impact on separate installed application? could you please suggest us ?
          junrao Jun Rao added a comment -

          Waseem_bhura : Once you remove JMSAppender, it shouldn't affect the application assuming that it doesn't use JMSAppender.

          junrao Jun Rao added a comment - Waseem_bhura : Once you remove JMSAppender, it shouldn't affect the application assuming that it doesn't use JMSAppender.

          People

            Unassigned Unassigned
            Waseem_bhura Waseem
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: