Security update for kafka
This update for kafka, kafka-kit fixes following issues:
- Remove JDBCAppender, JMSSink, chainsaw from log4j jars during build to
prevent bsc#1194842, CVE-2022-23302, bsc#1194843, CVE-2022-23305,
bsc#1194844, CVE-2022-23307
- Rebuild with kafka-kit change to
Remove JMSAppender from log4j jars during build to
prevent bsc#1193662, CVE-2021-4104
-
Submitted by
Jan Zerebecki (jzerebecki)
Fixed bugs
bnc#1194842
VUL-0: CVE-2022-23302: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink
bnc#1194843
VUL-0: CVE-2022-23305: log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender
bnc#1194844
VUL-0: CVE-2022-23307: log4j: Apache Log4j 1.x: A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.
bnc#1193662
VUL-0: CVE-2021-4104: log4j,log4j12: log4j v.1.2.x remote code execution through JMS API via the ldap JNDI parser
