Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Affected by CVE-2021-44228?
See original GitHub issueHi,
can somebody please confirm that the image confluentinc/cp-kafka:6.0.1 is NOT affected by the log4j vulnerability CVE-2021-44228?
If I checked correctly, it uses a custom log4j version based on v1.2.17 (https://github.com/confluentinc/kafka/blob/9c1fbb3db1e0d69d09f165b3b9861fc984ad1a62/gradle/dependencies.gradle#L78), which is not included in the list of affected versions. Still, I want to make sure I am right here.
Thank you!
Issue Analytics
- State:
- Created 2 years ago
- Reactions:10
- Comments:5 (1 by maintainers)
Top Results From Across the Web
CVE-2021-44228 - NVD
Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Read more >CVE-2021-44228
Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. References. Note: ...
Read more >Apache projects affected by log4j CVE-2021-44228
This entry is where we will collect links to statements provided by ASF projects on if they are affected by CVE-2021-44228, the security...
Read more >Log4j CVE 2021-44228: Systems Affected and Impact…
Our offensive security experts dive into the impact of the zero-day vulnerability related to Apache Log4j Java logging library vulnerability ...
Read more >CVE-2021-44228
This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need: A remotely accessible endpoint with...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Please see Confluent’s official stance on this topic: https://support.confluent.io/hc/en-us/articles/4412615410580-December-2021-Log4j-Vulnerabilities-Advisory
According to this SO post, Log4J 1.x should only be vulnerable if you have configured the
JMSAppender. That said, Log4J 1.x has other vulnerabilities.