Is cp-kafka-connect-base image still using confluent forked log4j v1.x?

jerryz · 31 May 2023 01:10

Hi there,

We are using cp-kafka-connect-base v 5.3. 1 community image for our self managed connectors.

From December 2021 Log4j Vulnerabilities Advisory, it says

Confluent’s community package does not include or rely upon Log4j 2.x. The community package also relies upon Confluent’s fork of Log4j 1.x (confluent-log4j), which is not vulnerable to CVE-2021-44228. The community package does not ship with JMS Appender configured by default, which means the Confluent community package is not impacted by CVE-2021-4104.

Can anyone from confluent confirm that it is still applied for latest and future version cp-kafka-connect-base community images?

Best Regards,

Jerry

OneCricketeer · 4 June 2023 12:46

These images are open source, so you’re welcome to figure this out from the repo.

Topic		Replies	Views
Is the kafka-connect docker image confluentinc/cp-kafka-connect-base:5.5.0 affected by the log4j vulnerability https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228? Kafka Connect	2	2844	14 December 2021
Confluent-community-2.13 log4J vulnerability Kafka Connect	7	2884	2 March 2022
Critical security vulnerability code-named “Log4Shell” (tracked as CVE-2021-44228) Managed Connectors	3	3156	21 December 2021
Resolving CVE-2022-48566 and CVE-2023-40217 Kafka Connect	1	904	29 October 2023
Does confluent kafka (cp-kafka) support Log4j RollingFileAppender with Time/Size Based Triggering Policy & Rollover Strategy? Doesn't seem to work Containers	1	2938	24 November 2022

Is cp-kafka-connect-base image still using confluent forked log4j v1.x?

Related Topics