simplesteph
commented
2 years ago Can you please post the output here ?
Closed chrisnava07 closed 2 years ago
simplesteph
commented
2 years ago Can you please post the output here ?
chrisnava07
commented
2 years ago sure thing! vuln_output.txt
simplesteph
commented
2 years ago Done, release 1.0.1 contains the fix https://github.com/conduktor/kafka-security-manager/releases/tag/v1.0.1
landrytimothy
commented
2 years ago Not a huge deal, but just wanted to mention that the release artifact seems to still include the log4j 1.2.17.jar. We were able to build a package without it but figured I'd mention it here.
$md5sum kafka-security-manager-1.0.1.zip
fe308a00254e80142f29f74fe188a131 kafka-security-manager-1.0.1.zip
$unzip -l kafka-security-manager-1.0.1.zip | grep log4j
12188 2021-07-20 11:58 kafka-security-manager-1.0.1/lib/org.slf4j.slf4j-log4j12-1.7.32.jar
489884 2012-05-26 09:43 kafka-security-manager-1.0.1/lib/log4j.log4j-1.2.17.jar@landrytimothy would you happen to have a couple steps on how you handled that?
simplesteph
commented
2 years ago @gurinderu can you have a look please ?
our security scans are showing several critical and high vulnerability issues with Log4j and several other .jars within the Docker Image. Will these be addressed in a new release? If not, a statement from the owning team would be great to show our customers.
Thank you, Chris