[
https://issues.apache.org/jira/browse/KAFKA-9366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17515252#comment-17515252
]
Akansh Shandilya edited comment on KAFKA-9366 at 3/31/22, 11:23 AM:
--------------------------------------------------------------------
[~showuon] I appreciate your dedication and efforts to resolve log4j 1.x EOL
version from Kafka.
Log4j 1.x is declared End-of-Life by Apache-log4j in 2015. Apache-Kafka is
still using.
As well as security scanners are reporting EOL version of log4j as
vulnerability in Kafka, and there is little scope to explain it to whole world.
[~showuon] please discuss and review to find a solution with user, who has
blocked chance of log4j upgrade (log4j 1.x to log4j 2.x) in Kafka in 3.2.0
release.
Or is there any plan to remove log4 1.x in 3.2.0 release? Please advise.
was (Author: akansh):
[~showuon] I appreciate your dedication and efforts to resolve log4j 1.x EOL
version from Kafka.
Log4j 1.x is declared End-of-Life by Apache-log4j in 2015. Apache-Kafka is
still using.
As well as security scanners are reporting EOL version of log4j as
vulnerability in Kafka, and there is little scope to explain it to whole world.
[~showuon] please discuss and review to find a solution with user, who has
blocked chance of log4j upgrade (log4j 1.x to log4j 2.x) in Kafka in 3.2.0
release.
> Upgrade log4j to log4j2
> -----------------------
>
> Key: KAFKA-9366
> URL: https://issues.apache.org/jira/browse/KAFKA-9366
> Project: Kafka
> Issue Type: Bug
> Components: core
> Affects Versions: 2.2.0, 2.1.1, 2.3.0, 2.4.0
> Reporter: leibo
> Assignee: Dongjin Lee
> Priority: Critical
> Labels: needs-kip
> Fix For: 3.3.0
>
>
> h2. CVE-2019-17571 Detail
> Included in Log4j 1.2 is a SocketServer class that is vulnerable to
> deserialization of untrusted data which can be exploited to remotely execute
> arbitrary code when combined with a deserialization gadget when listening to
> untrusted network traffic for log data. This affects Log4j versions up to 1.2
> up to 1.2.17.
>
> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571]
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
