Dear Luke , Thank you for your kind and prompt response.
On Mon, Apr 4, 2022 at 1:23 PM Luke Chen <show...@gmail.com> wrote: > Hi, > > The impact for the CVE-2022-22965? Since this is a RCE vulnerability, which > means the whole system (including Kafka and ZK) is under the attackers' > control, and can do whatever they want. > > The ideal fix for this is to upgrade Spring Framework 5.3.18 and 5.2.20 or > greater. Alternatively, you can have workarounds: > 1. Upgrading Tomcat > 2. Downgrading to Java 8 > 3. Disallowed Fields > > I think this blog from Spring community is very clear: > https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement > > Thank you. > Luke > > On Mon, Apr 4, 2022 at 3:32 PM Kafka Life <lifekafka...@gmail.com> wrote: > > > Hi Kafka Experts > > > > Regarding the recent threat of vulnerability in spring framework , > > CVE-2022-22965 vulnerability is SpringBoot (Java) for apache kafka and > > Zookeeper. Could one of you suggest how Apache kafka and zk are impacted > > and what should be the ideal fix for this . > > > > Vulnerability in the Spring Framework (CVE-2022-22965) | Information > > Security Office (berkeley.edu) > > < > > > https://security.berkeley.edu/news/vulnerability-spring-framework-cve-2022-22965 > > > > > > > Critical alert – Spring4Shell RCE (CVE-2022-22965 in Spring) | Acunetix > > < > > > https://www.acunetix.com/blog/web-security-zone/critical-alert-spring4shell-rce-cve-2022-22965-in-spring/ > > > > > > > > > Thanks in advance > > >