Menu
Which versions of Kafka are impacted by CVE-2021-44228?
Nothing is yet updated on Apache Kafka Security Vulnerabilities about this vulnerability.
489
Apache Log4j2 versions from 2.0-beta7 to 2.17. 0 (excluding security fix releases 2.3. 2 and 2.12. 4) are vulnerable to a remote code execution attack.
Answer: No, NetBackup clients do not use log4j 2. x, and are NOT vulnerable to CVE-2021-44228 or CVE-2021-45046.
Kafka Connect and other Confluent Platform components use the Java-based logging utility Apache Log4j to collect runtime data and record component events.
The CVE-2021-44228 is a remote code execution vulnerability that can be exploited without authentication. Therefore, CVE-2021-44228 is an unauthenticated RCE vulnerability affecting Apache Log4j versions before 2.15. 0.
A post about how we performed an analysis of the Kafka connectors in use for a customer to detect if they were vulnerable to the recently discovered Log4j vulnerability - CVE-2021-44228 and CVE-2021-45046. The Log4j vulnerability has taken the Internet by storm since its discovery late last week.
Reload4j 1.2.18.0 has been released. It is as a replacement for log4j version 1.2.17 with fixes for CVE-2021-4104 and CVE-2019-17571. For versions 1.x.x of log4j you are vulnerable only if you are using a JMS Appender in your log4j configuration. Description of the vulnerability and possible mitigations of cve-2021-44228 are explained here.
The following components in Apache Kafka use Log4j-v1.2.17: broker, controller, zookeeper, connect, mirrormaker and tools. Clients may also be configured to use Log4j-v1.x. Version 1.x of Log4J can be configured to use JMS Appender, which publishes log events to a JMS Topic.
As the issue is affecting version from 2.0-beta9 to 2.14.1, Kafka is not affected by this security vulnerabilities. Thanks for contributing an answer to Stack Overflow! Please be sure to answer the question.
APACHE KAFKA SECURITY VULNERABILITIES has confirmed:
Users should NOT be impacted by this vulnerability
Users should NOT be impacted by this vulnerability
Version 1.x of Log4J can be configured to use JMS Appender, which publishes log events to a JMS Topic. Log4j 1.x is vulnerable if the deployed application is configured to use JMSAppender.
So please check the site for details.
As suggested by bovine, log4j1.x may also be affected to this vulnerability.
strictly speaking, applications using Log4j 1.x may be impacted if their configuration uses JNDI. However, the risk is much lower.
please refer to this link for latest status.
By checking dependencies.gradle of Kafka:
1.0.0 and 3.0.0
both are using 1.2.17.
As the issue is affecting version from 2.0-beta9 to 2.14.1, Kafka is not affected by this security vulnerabilities.
140
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
