Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Affected by CVE-2021-44228? #128

Closed
DrauzJu opened this issue Dec 12, 2021 · 5 comments
Closed

Affected by CVE-2021-44228? #128

DrauzJu opened this issue Dec 12, 2021 · 5 comments

Comments

@DrauzJu
Copy link

DrauzJu commented Dec 12, 2021

Hi,

can somebody please confirm that the image confluentinc/cp-kafka:6.0.1 is NOT affected by the log4j vulnerability CVE-2021-44228?

If I checked correctly, it uses a custom log4j version based on v1.2.17 (https://github.com/confluentinc/kafka/blob/9c1fbb3db1e0d69d09f165b3b9861fc984ad1a62/gradle/dependencies.gradle#L78), which is not included in the list of affected versions. Still, I want to make sure I am right here.

Thank you!
@tim-brand
Copy link

Kafka is using log4j v1, which is not affected. Only with a specific jmc configuration, it's vulnerable.

So, in short, as long as you're using Kafka, and not setting the jms
configuration: TopicBindingName or *TopicConnectionFactoryBindingName *to
something that JNDI can handle, it is safe!

Source: https://lists.apache.org/thread/lgbtvvmy68p0059yoyn9qxzosdmx4jdv

To be honest, I'm not familiar with this "jms configuration", but hope this info helps.

@tnagel1
Copy link

tnagel1 commented Dec 13, 2021
edited

Who can identify which kafka images and also confluentinc/cp-kafka-connect images are affected by the vulnerability?
Im currently using the version 7.0.0 of the confluentinc/cp-kafka-connect images in a helm chart and want to know if this is affected or not

@roadSurfer
Copy link

According to this SO post, Log4J 1.x should only be vulnerable if you have configured the JMSAppender.
That said, Log4J 1.x has other vulnerabilities.

@andrewegel
Copy link
Member

Please see Confluent's official stance on this topic: https://support.confluent.io/hc/en-us/articles/4412615410580-December-2021-Log4j-Vulnerabilities-Advisory

@andrewegel andrewegel pinned this issue Dec 14, 2021
@DrauzJu
Copy link
Author

DrauzJu commented Dec 14, 2021

Please see Confluent's official stance on this topic: https://support.confluent.io/hc/en-us/articles/4412615410580-December-2021-Log4j-Vulnerabilities-Advisory

Thanks a lot, this answers it:

Confluent’s community package does not include or rely upon Log4j 2.x. The community package also relies upon Confluent’s fork of Log4j 1.x (confluent-log4j), which is not vulnerable to CVE-2021-44228. The community package does not ship with JMS Appender configured by default, which means the Confluent community package is not impacted by CVE-2021-4104.

With this I will close the issue. Thanks a lot for your input!

@DrauzJu DrauzJu closed this as completed Dec 14, 2021
@griseau griseau mentioned this issue Dec 23, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@andrewegel @DrauzJu @tim-brand @roadSurfer @tnagel1