CVE-2019-17571 kafka and zookeeper 2.7.0

[zencircle]

Our scanner has detected CVE-2019-17571 for kafka and zookeeper. Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

kafka 2.7.0 bundled log4j-1.2.17.jar does contains SocketServer.class file

unzip -l log4j-1.2.17.jar  | grep SocketServer
     3598  05-06-2012 13:00   org/apache/log4j/net/SimpleSocketServer.class
     5788  05-06-2012 13:00   org/apache/log4j/net/SocketServer.class

log4j.properties appender does not include port, server, etc parameters Additional info here]

og4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender
log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout
log4j.appender.CONSOLE.layout.ConversionPattern=%d{ISO8601} %p %m (%c) [%t]%n
kafka.root.logger.level=INFO
log4j.rootLogger=${kafka.root.logger.level}, CONSOLE
log4j.logger.org.I0Itec.zkclient.ZkClient=INFO
log4j.logger.org.apache.zookeeper=INFO
log4j.logger.kafka=INFO
log4j.logger.org.apache.kafka=INFO
log4j.logger.kafka.request.logger=WARN, CONSOLE
log4j.logger.kafka.network.Processor=OFF
log4j.logger.kafka.server.KafkaApis=OFF
log4j.logger.kafka.network.RequestChannel$=WARN
log4j.logger.kafka.controller=TRACE
log4j.logger.kafka.log.LogCleaner=INFO
log4j.logger.state.change.logger=TRACE
log4j.logger.kafka.authorizer.logger=INFO

AFAIK, it's not used from communication but wanted to check with the community ? @scholzj

[scholzj]

This is part of the Kafka / ZooKeeper distribution. Log4j 1 is unsupported and has CVEs, but this needs to be addressed by Kafka. Strimzi uses the Kafka binaries. We do not have the resources to maintain forks of Kafka with other logging stack.

My understanding is that this is not critical issue and is not triggered either with the default configuration nor with the usual configuration. You would need to use some more special logging configurations to be exposed to it.