Is Sentry also affected by log4j security issue? (with CVE-2021-44228)

Hello, I use sentry onpremise v20.11.0

A days ago, I heard that there was a log4j security issue.

So, I analyzed Sentry and I saw that log4j was used for Kafka and Kafka Zookeeper. Is Sentry safe from this security issue?

Please let me know. thank you.

sentry : sentry/server.py at 0e966c06924a449545e03a444d44eb1ceaa710cf · getsentry/sentry · GitHub
kafka : kafka/dependencies.gradle at 9c1fbb3db1e0d69d09f165b3b9861fc984ad1a62 · confluentinc/kafka · GitHub
log4j issue : NVD - CVE-2021-44228

4 Likes

Are versions 21.9.0 and 21.11.0 vulnerable as well?

For me it looks like kafka is using version 1.2.17; but there’s a plug-in to enable version 2 (which is currently affected); see here: Log4j 2.x | Sentry Documentation

Also see here: Finding applications that use Log4J

But maybe someone else can clarify :).

But is not the releavnt question if the kafka is logging any incoming data at all? I guess not from what I saw so far

Appollon77, true, but in my case, InfoSec would like to know from the vendor if a vulnerable log4j2 lib is in use within on-prem Sentry.

@BYK @tkaemming Please check this topic… Thanks

Sorry, I checked this below site. Thanks