Hi Team,

                Kindly awaiting your response, as this issue needs to be 
mitigated before our product release to the market in the coming days.

Thanks & Regards
Karupasamy

From: Karupasamy S
Sent: Thursday, January 27, 2022 4:12 PM
To: users@kafka.apache.org
Cc: Mariappan Thangavel <mariappan.thanga...@ericsson.com>
Subject: Apache log4j 1.x vulnerability mitigations on Kafka

Hi Team,


                We are using Apache Kafka as part of the ELK stack and we have 
an internal tool to find the vulnerabilities present on all the products/3pp 
which we use in our product.

                So we received the below vulnerabilities on log4j:

                CVE-2022-23302, CVE-2022-23305, CVE-2022-23307

                Since Kafka is using log4j internally we are also applicable to 
these vulnerabilities. Hence our security team is asking us to mitigate these 
vulnerabilities before releasing our product to the market.

                On analyzing further, we found for the CVE CVE-2022-23307, 
there is a mitigation plan proposed by Kafka, in the below-mentioned article:
                https://kafka.apache.org/cve-list

[cid:image001.png@01D81479.1A8E4780]

                But in the same article we, didn't find any information for the 
CVEs CVE-2022-23302, CVE-2022-23305.

                So kindly help us in clarifying the below queries:


  1.  Are the CVEs CVE-2022-23302, CVE-2022-23305 applicable to the Apache 
Kafka? If so, how to mitigate these vulnerabilities, and will be there be any 
patch/fix that will be released?


  1.  If not vulnerable, Can we remove the following vulnerable classes from 
the log4j jar?

                zip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class
                zip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class


  1.  Will there be any impact on Kafka's functionalities after removing the 
above-mentioned classes?



Thanks & Regards
Karupasamy

Reply via email to