Important note on log4j security

Gunnar Morling

unread,

Dec 10, 2021, 11:22:32 PM12/10/21

to debezium

Debezium users,

Earlier today, a critical security issue with the widely used log4j library was published, which enables an easily exploitable remote code execution vulnerability [1].

This issue was reported for log4j version 2.x, which is NOT used by Debezium, Apache Kafka or Kafka Connect.

But there's also reports [2] that log4j version 1.x is affected when using the JMS log appender coming with log4j 1.x . This appender is NOT used by Debezium in any way. But since log4j is a dependency of Apache Kafka and Kafka Connect, this appender class is shipped in the log4j-1.2.17.jar contained in the container images provided by Debezium for Apache Kafka and Kafka Connect, as well as the Debezium Server distribution.

We therefore strongly advice all users to not use this JMS log appender in their log4j configuration. To our current information, users who are not using the JMS appender, are not affected by this issue.

With best regards,

--Gunnar

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-44228

[2] https://www.randori.com/blog/cve-2021-44228/

Gunnar Morling

unread,

Dec 11, 2021, 1:12:42 PM12/11/21

to debezium

Debezium users,

As per an analysis of log4j 1.x developer Ceki Gülcü, the JMS-based log appender coming with log4j 1.x (which itself ships with Debezium's container images for Apache Kafka and Kafka Connect and the Debezium Server distribution) is NOT affected by this remote code execution vulnerability [1].

With best regards,

--Gunnar

[1] https://twitter.com/ceki/status/1469449618316533762

Gunnar Morling

unread,

Dec 14, 2021, 2:18:11 PM12/14/21

to debezium

Debezium users,

To further clarify the situation, we have published this post on the blog today:

https://debezium.io/blog/2021/12/14/note-on-log4j-security/

TL,DR: Debezium is NOT affected by the recently disclosed remote code execution vulnerability in log4j2 (CVE-2021-44228); The log4j-1.2.17.jar shipped in Debezium’s container images contains a class JMSAppender, which is subject to a MODERATE vulnerability (CVE-2021-4104). This appender is NOT used by default, i.e. access to log4j’s configuration is required in order to exploit this CVE. As a measure of caution, we have decided to remove the JMSAppender class from Debezium’s container images as of version 1.7.2.Final, released today.

I.e. since the last message in this thread, a separate CVE for the JMSAppender class in log4j 1.x has been filed and this is considered its own vulnerability now. This CVE is considered moderate, as it requires explicit usage of that appender class in a specific way, which would require access to log4j's configuration.

As this class should only rarely, if ever, be used in the context of Kafka, we dropped that class from the container images we publish. Other deliverables, like the connector archives themselves or the Debezium Server distribution don't contain the log4j JAR and thus are not impacted by this in any way.

If you have any questions or concerns around this, please don't hesitate to reach out to me at any time.