confluentinc / kafka-images

Confluent Docker images for Apache Kafka
Apache License 2.0
26 stars 136 forks source link

Affected by CVE-2021-44228? #128

Closed DrauzJu closed 2 years ago

DrauzJu commented 2 years ago

Hi,

can somebody please confirm that the image confluentinc/cp-kafka:6.0.1 is NOT affected by the log4j vulnerability CVE-2021-44228?

If I checked correctly, it uses a custom log4j version based on v1.2.17 (https://github.com/confluentinc/kafka/blob/9c1fbb3db1e0d69d09f165b3b9861fc984ad1a62/gradle/dependencies.gradle#L78), which is not included in the list of affected versions. Still, I want to make sure I am right here.

Thank you!

tim-brand commented 2 years ago

Kafka is using log4j v1, which is not affected. Only with a specific jmc configuration, it's vulnerable.

So, in short, as long as you're using Kafka, and not setting the jms configuration: TopicBindingName or TopicConnectionFactoryBindingName to something that JNDI can handle, it is safe!

Source: https://lists.apache.org/thread/lgbtvvmy68p0059yoyn9qxzosdmx4jdv

To be honest, I'm not familiar with this "jms configuration", but hope this info helps.

tnagel1 commented 2 years ago

Who can identify which kafka images and also confluentinc/cp-kafka-connect images are affected by the vulnerability? Im currently using the version 7.0.0 of the confluentinc/cp-kafka-connect images in a helm chart and want to know if this is affected or not

roadSurfer commented 2 years ago

According to this SO post, Log4J 1.x should only be vulnerable if you have configured the JMSAppender. That said, Log4J 1.x has other vulnerabilities.

andrewegel commented 2 years ago

Please see Confluent's official stance on this topic: https://support.confluent.io/hc/en-us/articles/4412615410580-December-2021-Log4j-Vulnerabilities-Advisory

DrauzJu commented 2 years ago

Please see Confluent's official stance on this topic: https://support.confluent.io/hc/en-us/articles/4412615410580-December-2021-Log4j-Vulnerabilities-Advisory

Thanks a lot, this answers it:

Confluent’s community package does not include or rely upon Log4j 2.x. The community package also relies upon Confluent’s fork of Log4j 1.x (confluent-log4j), which is not vulnerable to CVE-2021-44228. The community package does not ship with JMS Appender configured by default, which means the Confluent community package is not impacted by CVE-2021-4104.

With this I will close the issue. Thanks a lot for your input!