Hi Team,
Kindly awaiting your response, as this issue needs to be
mitigated before our product release to the market in the coming days.
Thanks & Regards
Karupasamy
From: Karupasamy S
Sent: Thursday, January 27, 2022 4:12 PM
To: users@kafka.apache.org
Cc: Mariappan Thangavel <mariappan.thanga...@ericsson.com>
Subject: Apache log4j 1.x vulnerability mitigations on Kafka
Hi Team,
We are using Apache Kafka as part of the ELK stack and we have
an internal tool to find the vulnerabilities present on all the products/3pp
which we use in our product.
So we received the below vulnerabilities on log4j:
CVE-2022-23302, CVE-2022-23305, CVE-2022-23307
Since Kafka is using log4j internally we are also applicable to
these vulnerabilities. Hence our security team is asking us to mitigate these
vulnerabilities before releasing our product to the market.
On analyzing further, we found for the CVE CVE-2022-23307,
there is a mitigation plan proposed by Kafka, in the below-mentioned article:
https://kafka.apache.org/cve-list
[cid:image001.png@01D81479.1A8E4780]
But in the same article we, didn't find any information for the
CVEs CVE-2022-23302, CVE-2022-23305.
So kindly help us in clarifying the below queries:
1. Are the CVEs CVE-2022-23302, CVE-2022-23305 applicable to the Apache
Kafka? If so, how to mitigate these vulnerabilities, and will be there be any
patch/fix that will be released?
1. If not vulnerable, Can we remove the following vulnerable classes from
the log4j jar?
zip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class
zip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class
1. Will there be any impact on Kafka's functionalities after removing the
above-mentioned classes?
Thanks & Regards
Karupasamy
