Which version of Kafka are impacted due to Log4j CVE-2021-44228? - security

Which versions of Kafka are impacted by CVE-2021-44228?
Nothing is yet updated on Apache Kafka Security Vulnerabilities about this vulnerability.

Update 2021-12-15
APACHE KAFKA SECURITY VULNERABILITIES has confirmed:
CVE-2021-45046
Users should NOT be impacted by this vulnerability
CVE-2021-44228
Users should NOT be impacted by this vulnerability
CVE-2021-4104
Version 1.x of Log4J can be configured to use JMS Appender, which publishes log events to a JMS Topic. Log4j 1.x is vulnerable if the deployed application is configured to use JMSAppender.
So please check the site for details.
Update 2021-12-13
As suggested by bovine, log4j1.x may also be affected to this vulnerability.
strictly speaking, applications using Log4j 1.x may be impacted if their configuration uses JNDI. However, the risk is much lower.
please refer to this link for latest status.
Evidence for not using log4j2
By checking dependencies.gradle of Kafka:
1.0.0 and 3.0.0
both are using 1.2.17.
As the issue is affecting version from 2.0-beta9 to 2.14.1, Kafka is not affected by this security vulnerabilities.

Related

It is possible to upgrade pulsar broker without upgrading bookkeeper?

I want to upgrade the Pulsar brokers in a pulsar cluster (from 2.6.3 to 2.10.1)
The question is could I just upgrade the brokers to 2.10.1 (and leave other components (Bookkeeper as well ZooKeeper) in 2.6.3)
(Asking this because according to this https://pulsar.apache.org/docs/administration-upgrade, I am not sure if I also need to upgrade BookKeeper or not)
Thank you !
2.6.3 contains a very old version of ZooKeeper (3.5.x) and from Pulsar 2.8.x onwards we require ZooKeeper 3.6.x because Pulsar uses the Persistent Recursive Watches feature.
I suggest to upgrade ZooKeeper and BookKeeper as well, at least to Pulsar 2.8.x.
As a general rule of thumb in Pulsar is that we support rolling upgrades from one major version to the next (so from 2.6 to 2.7...).
Jumping from 2.6 to 2.10 is not supported officially, but it should work.

Zookeeper - Due Date for Log4J Upgrade

Log4J version (1.x) used by Apache Zookeeper exposes users to the following CVE-s:
Critical -
CVE-2019-17571
CVE-2022-23305
CVE-2022-23307
High -
CVE-2022-23302
CVE-2021-4104
Low -
CVE-2020-9488
When (on which release) will Zookeeper be upgraded to the latest Log4J release?
is there a workaround?
Thanks.

Hazelcast 3.11 + log4j

Good day, does anyone find information about log4j involving Hazelcast 3.11?
In the official website doesn't show anything about the log4j vulnerability.
The vulnerability is addressed in Log4j2.15.0. Hazelcast team is currently working to release fixes to add this for the versions listed above. UPDATE on December 15, 2021: IMDG 4.0.4, 4.1.7 and 4.2.3 have been released. Remaining release of Hazelcast 5.0.1 and Hazelcast Jet 4.5.2 is being worked on.
Users that explicitly use a vulnerable Log4j2 library are advised to upgrade to Log4j2.15.0 as soon as possible.
For more: Security Advisory for "Log4Shell" CVE-2021-44228 and CVE-2021-45046

Cassandra log4j Vulnerability exception

We are using apache Cassandra 3.11.7 running on native kubernetes cluster. Is it vulnerable to the log4j security exception?
Here you find a list of affected software. Cassandra is not in the list. https://github.com/cisagov/log4j-affected-db

Upgrading from gridgain to Apache Ignite

We're currently running gridgain 6.2.1. Is there an existing upgrade guide in order to transition to apache ignite?
There is no such guide and it highly depends on what parts of GridGain you're using. All functionality that existed in 6.x was migrated to Ignite with a bit different API. So I suggest to update the version and start fixing compilation step by step.

Resources