in the log4j.properties file. Does it
> mean we are safe ?
>
> Thanks,
> Dhirendra.
>
> -Original Message-
> From: Brian Rickabaugh
> Sent: Wednesday, December 15, 2021 8:04 AM
> To: users@kafka.apache.org
> Subject: Re: CVE-2021-44228 – Log4j 2 Vulnerability
>
the log4j.properties file. Does it mean
we are safe ?
Thanks,
Dhirendra.
-Original Message-
From: Brian Rickabaugh
Sent: Wednesday, December 15, 2021 8:04 AM
To: users@kafka.apache.org
Subject: Re: CVE-2021-44228 – Log4j 2 Vulnerability
I'll second that. Thank you!
Brian
Quoting
I'll second that. Thank you!
Brian
Quoting Luke Chen :
Hi Jun,
It looks great and clear!
Thank you for working on the public statement!
Thank you.
Luke
On Wed, Dec 15, 2021 at 8:34 AM Jun Rao wrote:
Hi, Everyone,
Just to provide an update. https://kafka.apache.org/cve-list is now
upda
Hi Jun,
It looks great and clear!
Thank you for working on the public statement!
Thank you.
Luke
On Wed, Dec 15, 2021 at 8:34 AM Jun Rao wrote:
> Hi, Everyone,
>
> Just to provide an update. https://kafka.apache.org/cve-list is now
> updated
> with this CVE.
>
> Thanks,
>
> Jun
>
> On Tue, Dec
Hi, Everyone,
Just to provide an update. https://kafka.apache.org/cve-list is now updated
with this CVE.
Thanks,
Jun
On Tue, Dec 14, 2021 at 3:30 PM Jun Rao wrote:
> Hi, Israel,
>
> Randall added some clarification for the connectors in the PR.
>
> Thanks,
>
> Jun
>
> On Tue, Dec 14, 2021 at
Hi, Israel,
Randall added some clarification for the connectors in the PR.
Thanks,
Jun
On Tue, Dec 14, 2021 at 12:10 PM Israel Ekpo wrote:
> Do we want to add a disclaimer that users need to check their connectors to
> see if it uses log4j2?
>
> Though the core library does not use this depen
Do we want to add a disclaimer that users need to check their connectors to
see if it uses log4j2?
Though the core library does not use this dependency, it is possible
external connectors that use it could introduce vulnerabilities if they
depend on the affected log4j2 version
On Tue, Dec 14, 20
Sure I will take a look at it shortly
On Tue, Dec 14, 2021 at 12:44 PM Jun Rao wrote:
> Hi, Luke,
>
> Thanks for the analysis. We are trying to put a public statement on this
> through this PR: https://github.com/apache/kafka-site/pull/388. If anyone
> has more feedback, we can iterate on the PR
Hi, Luke,
Thanks for the analysis. We are trying to put a public statement on this
through this PR: https://github.com/apache/kafka-site/pull/388. If anyone
has more feedback, we can iterate on the PR.
Thanks,
Jun
On Tue, Dec 14, 2021 at 7:53 AM Murilo Tavares wrote:
> What about Kafka-Conne
What about Kafka-Connect?
Anyone has checked if any of the Confluent KafkaConnect docker images embed
log4j v2?
Thanks
On Mon, 13 Dec 2021 at 21:39, Luke Chen wrote:
> Hi all,
>
> Here's the comments for CVE-2021-44228 vulnerability *from SLF4J project*.
> REF: http://slf4j.org/log4shell.html
>
Hi all,
Here's the comments for CVE-2021-44228 vulnerability *from SLF4J project*.
REF: http://slf4j.org/log4shell.html
I think it's a analysis that worth reading. Most importantly, it has
comments about log4j 1.x versions, which is currently Kafka used.
I quote some sentences here for your refer
Thanks guys!
On Mon, Dec 13, 2021 at 7:43 AM Brian Rickabaugh
wrote:
> I strongly recommend that the Kafka community publish a statement on this
> vulnerability.
>
> This Log4J exploit is getting a lot of publicity in my organization and a
> page to point our security team to would be very hel
I strongly recommend that the Kafka community publish a statement on this
vulnerability.
This Log4J exploit is getting a lot of publicity in my organization and a
page to point our security team to would be very helpful.
Brian
Quoting Luke Chen :
Due to this vulnerability is quite critical a
I strongly recommend that the Kafka community publish a statement on this
vulnerability.
This Log4J exploit is getting a lot of publicity in my organization and a
page to point our security team to would be very helpful.
Brian
Quoting Luke Chen :
Due to this vulnerability is quite critical a
Due to this vulnerability is quite critical and "popular" in these days,
should *Kafka have an official announcement in our security cve list page
or somewhere*? (i.e. https://kafka.apache.org/cve-list)
So far, my assessment is that, Kafka is not using log4j 2.x versions, so
the risk is lower.
Kaf
Hi David Ballano Fernandez and all,
Some update here:
Based on @TopStreamsNet's comment here:
https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301
log4j 1.x versions can still be vulnerable to this issue, but only when the
jms configuration: *TopicBindingName* or *TopicConnecti
Hi David Ballano Fernandez,
Thanks for reporting this issue. Yes, this is the most critical 0-day
vulnerability for security members.
I've been investigating this CVE for a while, and I confirmed that* log4j
1.x versions are not affected by this vulnerability.*
That is, *Kafka, which is using log4
17 matches
Mail list logo
