This is an automated email from the ASF dual-hosted git repository.
chia7712 pushed a commit to branch 4.0
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/4.0 by this push:
new c618472d111 KAFKA-20038 Upgrade Log4j to 2.25.3 to fix CVE-2025-68161
(#21264)
c618472d111 is described below
commit c618472d11113288f56e1391e7c8cb18c0bab531
Author: Ken Huang <[email protected]>
AuthorDate: Fri Jan 9 00:08:07 2026 +0800
KAFKA-20038 Upgrade Log4j to 2.25.3 to fix CVE-2025-68161 (#21264)
Updated lo4j2 version to 2.25.3 to prevent CVE. FYI:
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core
CVE LINK : https://nvd.nist.gov/vuln/detail/CVE-2025-68161
Reviewers: Chia-Ping Tsai <[email protected]>, TengYao Chi
<[email protected]>
---
LICENSE-binary | 8 ++++----
.../src/main/java/org/apache/kafka/connect/runtime/Loggers.java | 2 +-
gradle/dependencies.gradle | 2 +-
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/LICENSE-binary b/LICENSE-binary
index 243682e9d66..aba96f7f57b 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -236,10 +236,10 @@ License Version 2.0:
- jetty-session-12.0.15
- jetty-util-12.0.15
- jose4j-0.9.4
-- log4j-api-2.24.3
-- log4j-core-2.24.3
-- log4j-slf4j-impl-2.24.3
-- log4j-1.2-api-2.24.3
+- log4j-api-2.25.3
+- log4j-core-2.25.3
+- log4j-slf4j-impl-2.25.3
+- log4j-1.2-api-2.25.3
- lz4-java-1.10.1
- maven-artifact-3.9.6
- metrics-core-2.2.0
diff --git
a/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/Loggers.java
b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/Loggers.java
index 1593e3708fd..ca011457cf6 100644
---
a/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/Loggers.java
+++
b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/Loggers.java
@@ -202,7 +202,7 @@ public class Loggers {
LoggerContext context = (LoggerContext) LogManager.getContext(false);
var results = new HashMap<String, org.apache.logging.log4j.Logger>();
context.getConfiguration().getLoggers().forEach((name, logger) ->
results.put(name, LogManager.getLogger(name)));
- context.getLoggerRegistry().getLoggers().forEach(logger ->
results.put(logger.getName(), logger));
+ context.getLoggers().forEach(logger -> results.put(logger.getName(),
logger));
return results;
}
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index ff97581b0a3..175494258cf 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -106,7 +106,7 @@ versions += [
kafka_37: "3.7.2",
kafka_38: "3.8.1",
kafka_39: "3.9.0",
- log4j2: "2.24.3",
+ log4j2: "2.25.3",
// When updating lz4 make sure the compression levels in
org.apache.kafka.common.record.CompressionType are still valid
//
https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/record/CompressionType.java#L73-L74
//
https://github.com/yawkat/lz4-java/blob/main/src/java/net/jpountz/lz4/LZ4Constants.java#L23-L24
