rhauch edited a comment on pull request #388: URL: https://github.com/apache/kafka-site/pull/388#issuecomment-994134387
As background for Connect: * Connect runtime puts all JARs from each connector plugin on a separate classloader, and the Connect runtime nor other connector plugins have access to a plugin's JARs. This is why a connector plugin that includes a Log4J 2.x JAR * Most connector implementations simply use the logging provided by the Connect runtime, which is Log4J 1.x regardless of the JARs included by connector plugins. * However, if a connector plugins does include the Log4J 2.x JAR files, those JAR files will only be used if the connector implementation explicitly uses those APIs. There isn't a need to do this, but connectors are custom code and can do quite a bit. We might consider adding something like this under the `CVE-2021-44228` section, which I hope conveys the limited scope of the risk: > The Connect runtime of Apache Kafka allows users to install third party connector plugins. These connector plugins will use Connect runtime's Log4J 1.x by default, even when Log4J 1.x or 2.x JARs are inadvertently shipped with the connector plugin. Check with the vendor of any connector plugin that includes a Log4J 2.x JAR file. Basically, AK is not responsible for third party connectors that users add to their Connect installations. But users should consult with the vendor of those third party connectors. As for `CVE-2021-4104`, I think the existing wording applies to Connect just as well as every other part of AK, so IMO no changes are necessary to that section specifically for Connect. Feel free to wordsmith as needed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
