To further clarify the situation, we have published this post on the blog today:
TL,DR: Debezium is NOT affected by the recently disclosed remote code execution vulnerability in log4j2 (CVE-2021-44228); The log4j-1.2.17.jar shipped in Debezium’s container images contains a class JMSAppender, which is subject to a MODERATE vulnerability (CVE-2021-4104).
This appender is NOT used by default, i.e. access to log4j’s
configuration is required in order to exploit this CVE. As a measure of
caution, we have decided to remove the JMSAppender class from Debezium’s container images as of version 1.7.2.Final, released today.
I.e. since the last message in this thread, a separate CVE for the JMSAppender class in log4j 1.x has been filed and this is considered its own vulnerability now. This CVE is considered moderate, as it requires explicit usage of that appender class in a specific way, which would require access to log4j's configuration.
As this class should only rarely, if ever, be used in the context of Kafka, we dropped that class from the container images we publish. Other deliverables, like the connector archives themselves or the Debezium Server distribution don't contain the log4j JAR and thus are not impacted by this in any way.
If you have any questions or concerns around this, please don't hesitate to reach out to me at any time.
With best regards,