Hello, I use sentry onpremise v20.11.0
A days ago, I heard that there was a log4j security issue.
So, I analyzed Sentry and I saw that log4j was used for Kafka and Kafka Zookeeper. Is Sentry safe from this security issue?
Please let me know. thank you.
sentry : sentry/server.py at 0e966c06924a449545e03a444d44eb1ceaa710cf · getsentry/sentry · GitHub
kafka : kafka/dependencies.gradle at 9c1fbb3db1e0d69d09f165b3b9861fc984ad1a62 · confluentinc/kafka · GitHub
log4j issue : NVD - CVE-2021-44228
Are versions 21.9.0 and 21.11.0 vulnerable as well?
For me it looks like kafka is using version 1.2.17; but there’s a plug-in to enable version 2 (which is currently affected); see here: Log4j 2.x | Sentry Documentation
Also see here: Finding applications that use Log4J
But maybe someone else can clarify :).
But is not the releavnt question if the kafka is logging any incoming data at all? I guess not from what I saw so far
Appollon77, true, but in my case, InfoSec would like to know from the vendor if a vulnerable log4j2 lib is in use within on-prem Sentry.
@BYK @tkaemming Please check this topic… Thanks
Sorry, I checked this below site. Thanks