Hi. Is the current version of Confluent (7.0) and the bundled LOG4J version, open to this new vulnerability ?
https://www.randori.com/blog/cve-2021-44228/
According to https://docs.confluent.io/platform/current/release-notes/index.html , yes. https://twitter.com/lizthegrey/status/1469143322811777032 has the mitigation required.
Would the mitigation suggested here with this property on broker log4j.properties work?
-Dlog4j2.formatMsgNoLookups=true
That’s a jvm argument. And it should work
Yup, KAFKA_ARGS should be able to take it in your service file
-Dlog4j2.formatMsgNoLookups=true in log4j.properties confirms working preventing log4j2 vulnerability log4shell.
Thanks for all the good info people!
Where do you see that Confluent Kafka is vulnerable? Core Kafka uses log4j 1.2.17. As far as I can tell, Confluent uses a repackaged version of log4j 1.2 with security patches.
If you have a confluent support contract I strongly recommend checking out https://support.confluent.io/hc/en-us/articles/4412607023124-Security-Release-Notes-for-CP-7-0-1
For Confluent Cloud customers, is there a way to view what version the cluster is running so we can confirm the security patches have been applied?
