kafka-rest icon indicating copy to clipboard operation
kafka-rest copied to clipboard

Published 20 hours ago verified publisher icon confluentinc

kafka-rest uses vulnerable log4j version

Open pavel-sbor opened this issue 4 years ago • 1 comments

Description I checked confluent kafka 5.5.1 distribution with WhiteSource and find out that log4j version, that used in kafka-rest, has vulnerabilities

  • log4j-1.2.17.jar has CVE-2019-17571 and CVE-2020-9488 vulnerabilities. The way to fix it is to upgrade to org.apache.logging.log4j:log4j-core:2.13.2

To Reproduce Download Confluent Kafka 5.5.1 distribution (for example curl -O http://packages.confluent.io/archive/5.5/confluent-community-5.5.1-2.12.tar.gz) Open share/java/kafka-rest folder in it and find log4j-1.2.17.jar. Check https://nvd.nist.gov/vuln/detail/CVE-2019-17571 and https://nvd.nist.gov/vuln/detail/CVE-2020-9488 to see that log4j 1.2.17 is mentioned in "Known Affected Software Configurations" list

Expected behavior

  • log4j upgraded to log4j-core:2.13.2 or higher

Actual behaviour

  • log4j is 1.2.17

pavel-sbor avatar Jul 07 '20 16:07 pavel-sbor

Pavel, Thank you for raising this issue. The CVEs have been addressed. We recommend using the latest release 5.5.11 http://packages.confluent.io/archive/5.5/confluent-5.5.11-2.12.zip

janjwerner-confluent avatar Sep 27 '22 16:09 janjwerner-confluent