Closed DrauzJu closed 2 years ago
Kafka is using log4j v1, which is not affected. Only with a specific jmc configuration, it's vulnerable.
So, in short, as long as you're using Kafka, and not setting the jms configuration: TopicBindingName or TopicConnectionFactoryBindingName to something that JNDI can handle, it is safe!
Source: https://lists.apache.org/thread/lgbtvvmy68p0059yoyn9qxzosdmx4jdv
To be honest, I'm not familiar with this "jms configuration", but hope this info helps.
Who can identify which kafka images and also confluentinc/cp-kafka-connect images are affected by the vulnerability? Im currently using the version 7.0.0 of the confluentinc/cp-kafka-connect images in a helm chart and want to know if this is affected or not
According to this SO post, Log4J 1.x should only be vulnerable if you have configured the JMSAppender
.
That said, Log4J 1.x has other vulnerabilities.
Please see Confluent's official stance on this topic: https://support.confluent.io/hc/en-us/articles/4412615410580-December-2021-Log4j-Vulnerabilities-Advisory
Please see Confluent's official stance on this topic: https://support.confluent.io/hc/en-us/articles/4412615410580-December-2021-Log4j-Vulnerabilities-Advisory
Thanks a lot, this answers it:
Confluent’s community package does not include or rely upon Log4j 2.x. The community package also relies upon Confluent’s fork of Log4j 1.x (confluent-log4j), which is not vulnerable to CVE-2021-44228. The community package does not ship with JMS Appender configured by default, which means the Confluent community package is not impacted by CVE-2021-4104.
With this I will close the issue. Thanks a lot for your input!
Hi,
can somebody please confirm that the image
confluentinc/cp-kafka:6.0.1
is NOT affected by the log4j vulnerabilityCVE-2021-44228
?If I checked correctly, it uses a custom log4j version based on v1.2.17 (https://github.com/confluentinc/kafka/blob/9c1fbb3db1e0d69d09f165b3b9861fc984ad1a62/gradle/dependencies.gradle#L78), which is not included in the list of affected versions. Still, I want to make sure I am right here.
Thank you!