Dear Luke , Thank you for your kind and prompt response.

On Mon, Apr 4, 2022 at 1:23 PM Luke Chen <show...@gmail.com> wrote:

> Hi,
>
> The impact for the CVE-2022-22965? Since this is a RCE vulnerability, which
> means the whole system (including Kafka and ZK) is under the attackers'
> control, and can do whatever they want.
>
> The ideal fix for this is to upgrade Spring Framework 5.3.18 and 5.2.20 or
> greater. Alternatively, you can have workarounds:
> 1. Upgrading Tomcat
> 2. Downgrading to Java 8
> 3. Disallowed Fields
>
> I think this blog from Spring community is very clear:
> https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
>
> Thank you.
> Luke
>
> On Mon, Apr 4, 2022 at 3:32 PM Kafka Life <lifekafka...@gmail.com> wrote:
>
> > Hi Kafka Experts
> >
> > Regarding the recent threat of vulnerability in spring framework ,
> > CVE-2022-22965 vulnerability is SpringBoot (Java) for apache kafka and
> > Zookeeper. Could one of you suggest how Apache kafka and zk are impacted
> > and what should be the ideal fix for this .
> >
> > Vulnerability in the Spring Framework (CVE-2022-22965) | Information
> > Security Office (berkeley.edu)
> > <
> >
> https://security.berkeley.edu/news/vulnerability-spring-framework-cve-2022-22965
> > >
> >
> > Critical alert – Spring4Shell RCE (CVE-2022-22965 in Spring) | Acunetix
> > <
> >
> https://www.acunetix.com/blog/web-security-zone/critical-alert-spring4shell-rce-cve-2022-22965-in-spring/
> > >
> >
> >
> > Thanks in advance
> >
>

Reply via email to