Hi Karupasamy, Thanks for your asking. Answering your question below:
> 1. Are the CVEs *CVE-2022-23302, CVE-2022-23305* applicable to the Apache Kafka? Unfortunately, yes, these 2 CVEs: *CVE-2022-23302, CVE-2022-23305* are also applicable to the Apache Kafka, because that applied to log4j 1.x version. > If so, how to mitigate these vulnerabilities, and will be there be any patch/fix that will be released? Yes, the community is working on a KIP to upgrade log4j 1 to log4j 2. You can check its status here: KAFKA-9366 <https://issues.apache.org/jira/browse/KAFKA-9366> > 2. If not vulnerable, Can we remove the following vulnerable classes from the log4j jar? zip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class zip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class Yes, I think so. This is. Kafka doesn't use JMSSink or JDBCAppender at all. > 3. Will there be any impact on Kafka's functionalities after removing the above-mentioned classes? No. Kafka doesn't use JMSSink or JDBCAppender at all. I'm going to submit a PR to add these 2 CVEs into cve-list page: https://kafka.apache.org/cve-list. I think there should be other users have the same questions. Thank you. Luke On Fri, Jan 28, 2022 at 9:36 PM Karupasamy S <karupasam...@ericsson.com.invalid> wrote: > Hi Team, > > > > Kindly awaiting your response, as this issue needs to be > mitigated before our product release to the market in the coming days. > > > > Thanks & Regards > > Karupasamy > > > > *From:* Karupasamy S > *Sent:* Thursday, January 27, 2022 4:12 PM > *To:* users@kafka.apache.org > *Cc:* Mariappan Thangavel <mariappan.thanga...@ericsson.com> > *Subject:* Apache log4j 1.x vulnerability mitigations on Kafka > > > > Hi Team, > > > > > > We are using Apache Kafka as part of the ELK stack and we > have an internal tool to find the vulnerabilities present on all the > products/3pp which we use in our product. > > > > So we received the below vulnerabilities on log4j: > > > > * CVE-2022-23302, CVE-2022-23305, CVE-2022-23307* > > > > Since Kafka is using log4j internally we are also > applicable to these vulnerabilities. Hence our security team is asking us > to mitigate these vulnerabilities before releasing our product to the > market. > > > > On analyzing further, we found for the CVE * > CVE-2022-23307*, there is a mitigation plan proposed by Kafka, in the > below-mentioned article: > > https://kafka.apache.org/cve-list > > > > > > But in the same article we, didn’t find any information > for the CVEs *CVE-2022-23302, CVE-2022-23305*. > > > > So kindly help us in clarifying the below queries: > > > > 1. Are the CVEs *CVE-2022-23302, CVE-2022-23305* applicable to the > Apache Kafka? If so, how to mitigate these vulnerabilities, and will be > there be any patch/fix that will be released? > > > > 1. If not vulnerable, Can we remove the following vulnerable classes > from the log4j jar? > > > > zip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class > > zip -q -d log4j-*.jar > org/apache/log4j/jdbc/JDBCAppender.class > > > > 1. Will there be any impact on Kafka's functionalities after removing > the above-mentioned classes? > > > > > > > > Thanks & Regards > > Karupasamy > > >
