CVE-2022-X in log4j 1.2.17

[bebaek]

I would like to report that log4j 1.2.17 seems to be used in cp-kafka 7.0.1, etc and affected by the recent CVEs. I don't know if this is already being investigated. Please see the references:

https://issues.apache.org/jira/browse/KAFKA-13616
https://kafka.apache.org/cve-list

[andrewegel]

Please See: https://support.confluent.io/hc/en-us/articles/4412615410580-December-2021-Log4j-Vulnerabilities-Advisory

[bebaek]

Thanks for the link but I am not referring to the last year's CVE. Please see the list in https://issues.apache.org/jira/browse/KAFKA-13616.

[andrewegel]

Quote from my link:

Confluent maintains a private fork (confluent-log4j) of Log4j 1.x that is used by Confluent Platform. We have provided fixes to this fork to address security issues in Log4j v1.x that have been disclosed in the past. We continue to scan Confluent Platform products on a regular basis including direct and transitive dependencies, and monitor for any new vulnerabilities and assess the impact to our customers.

If you want more specifics to your concerns please open a confluent support case where some information can be shared with you - otherwise you'll have to wait for a security bulletin.

[bebaek]

I see. Then it is a matter of that privately fork. I can wait for a security bulletin. Thanks!

[andrewegel]

Keep what this repo build images based on code from https://github.com/confluentinc/kafka the "Confluent Community Server", NOT https://github.com/apache/kafka, which is still running the last version of log4j1.x which is not using the private fork mentioned.

If you are using the open-source apache/kafka releases and are concerned, then your only channel for information is the apache KAFKA Jira that you opened.