Hi Team,
We are using Apache Kafka as part of the ELK stack and we have an internal tool to find the vulnerabilities present on all the products/3pp which we use in our product. So we received the below vulnerabilities on log4j: CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 Since Kafka is using log4j internally we are also applicable to these vulnerabilities. Hence our security team is asking us to mitigate these vulnerabilities before releasing our product to the market. On analyzing further, we found for the CVE CVE-2022-23307, there is a mitigation plan proposed by Kafka, in the below-mentioned article: https://kafka.apache.org/cve-list [cid:image001.png@01D81397.8E0DAD00] But in the same article we, didn't find any information for the CVEs CVE-2022-23302, CVE-2022-23305. So kindly help us in clarifying the below queries: 1. Are the CVEs CVE-2022-23302, CVE-2022-23305 applicable to the Apache Kafka? If so, how to mitigate these vulnerabilities, and will be there be any patch/fix that will be released? 1. If not vulnerable, Can we remove the following vulnerable classes from the log4j jar? zip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class zip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class 1. Will there be any impact on Kafka's functionalities after removing the above-mentioned classes? Thanks & Regards Karupasamy