This is an automated email from the ASF dual-hosted git repository.
chia7712 pushed a commit to branch 4.1
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/4.1 by this push:
new 25e5b262463 KAFKA-20038 Upgrade Log4j to 2.25.3 to fix CVE-2025-68161
(#21250)
25e5b262463 is described below
commit 25e5b262463a9484397c4a858a4d86c6861ed97a
Author: Ken Huang <[email protected]>
AuthorDate: Wed Jan 7 21:51:36 2026 +0800
KAFKA-20038 Upgrade Log4j to 2.25.3 to fix CVE-2025-68161 (#21250)
Updated lo4j2 version to 2.25.3 to prevent CVE. FYI:
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core
CVE LINK : https://nvd.nist.gov/vuln/detail/CVE-2025-68161
Reviewers: Chia-Ping Tsai <[email protected]>
---
LICENSE-binary | 8 ++++----
.../src/main/java/org/apache/kafka/connect/runtime/Loggers.java | 2 +-
gradle/dependencies.gradle | 2 +-
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/LICENSE-binary b/LICENSE-binary
index d5484cd0b28..5b5d2c44108 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -238,10 +238,10 @@ License Version 2.0:
- jetty-util-12.0.22
- jose4j-0.9.6
- jspecify-1.0.0
-- log4j-api-2.24.3
-- log4j-core-2.24.3
-- log4j-slf4j-impl-2.24.3
-- log4j-1.2-api-2.24.3
+- log4j-api-2.25.3
+- log4j-core-2.25.3
+- log4j-slf4j-impl-2.25.3
+- log4j-1.2-api-2.25.3
- lz4-java-1.10.1
- maven-artifact-3.9.6
- metrics-core-2.2.0
diff --git
a/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/Loggers.java
b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/Loggers.java
index 3767e31ac7c..1a79698ae9f 100644
---
a/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/Loggers.java
+++
b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/Loggers.java
@@ -255,7 +255,7 @@ public abstract class Loggers {
LoggerContext context = (LoggerContext)
LogManager.getContext(false);
var results = new HashMap<String,
org.apache.logging.log4j.core.Logger>();
context.getConfiguration().getLoggers().forEach((name, logger) ->
results.put(name, loggerContext.getLogger(name)));
- context.getLoggerRegistry().getLoggers().forEach(logger ->
results.put(logger.getName(), logger));
+ context.getLoggers().forEach(logger ->
results.put(logger.getName(), logger));
return results;
}
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 0ebc9da22f1..a5d31e99e39 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -104,7 +104,7 @@ versions += [
kafka_38: "3.8.1",
kafka_39: "3.9.1",
kafka_40: "4.0.0",
- log4j2: "2.24.3",
+ log4j2: "2.25.3",
// When updating lz4 make sure the compression levels in
org.apache.kafka.common.record.CompressionType are still valid
//
https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/record/CompressionType.java#L73-L74
//
https://github.com/yawkat/lz4-java/blob/main/src/java/net/jpountz/lz4/LZ4Constants.java#L23-L24
