-
Notifications
You must be signed in to change notification settings - Fork 290
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
adding new CVEs to list #388
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@scott-confluent : Thanks for the PR. LGTM
@showuon : Do you have any more comments on this?
cve-list.html
Outdated
<h2><a href="https://access.redhat.com/security/cve/CVE-2021-4104">CVE-2021-4104</a> | ||
Flaw in Apache Log4j logging library in versions 1.x</h2> | ||
|
||
<p>Some components in Apache Kafka use <code>Log4j-v1.2.17</code></p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we spell out all components? I think the components include the following.
broker
controller
zookeeper
connect
mirrormaker
tools
clients configured with log4j
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How does something like this sound?
"Some components, including but not limited to: broker, controller, zookeeper, connect, mirrormaker, tools, and clients configured with log4j, use Log4j-v1.2.17
"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about the following?
"The following components in Apache Kafka use Log4j-v1.2.17: broker, controller, zookeeper, connect, mirrormaker and tools. Clients may also be configured to use Log4j-v1.2.17."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A minor change. "Client applications may also be configured to use Log4j-v1.x."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this to update the last sentence of the first paragraph?
cve-list.html
Outdated
</tr> | ||
<tr> | ||
<td>Fixed versions</td> | ||
<td>NA</td> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we don't have a fix yet, perhaps we could add the following.
In the absence of a new log4j 1.x release, one can remove JMSAppender
from the log4j-1.2.17.jar artifact. Commands are listed in the
page http://slf4j.org/log4shell.html.
We also recommend that configuration files be protected against write access as stated in http://slf4j.org/log4shell.html.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@scott-confluent : Have you pushed the new changes? |
@ijuma : Does the content look good to you? Thanks. |
Do we want to add a disclaimer that users need to check their connectors to see if it uses log4j2? Though the core library does not use this dependency, it is possible external connectors that use it could introduce vulnerabilities if they depend on the affected log4j2 version |
@junrao what do you think? |
cve-list.html
Outdated
<h2><a href="https://access.redhat.com/security/cve/CVE-2021-4104">CVE-2021-4104</a> | ||
Flaw in Apache Log4j logging library in versions 1.x</h2> | ||
|
||
<p>The following components in Apache Kafka use <code>Log4j-v1.2.17</code>: broker, controller, zookeeper, connect, mirrormaker and tools. Clients may also be configured to use <code>Log4j-v1.2.17</code>.</p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Clients may also be configured to use Log4j-v1.2.17 => Clients may also be configured to use
Log4j-v1.x
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated. Thanks for clarifying
As background for Connect:
We might consider adding something like this under the
Basically, AK is not responsible for third party connectors that users add to their Connect installations. But users should consult with the vendor of those third party connectors. As for Feel free to wordsmith as needed. |
Or, if we want something even simpler, maybe we could just add a sentence to the
|
Thanks, @rhauch. The simpler version is probably enough. @scott-confluent : Could you add that? |
@scott-confluent : Thanks for the updated PR. LGTM |
Per https://docs.google.com/document/d/1zar4nlhIQnDB7qm9i4RqFUFXM5pWP7_a0WERcLlR0Wo/edit#heading=h.jp7xjzp1clqe