[
https://issues.apache.org/jira/browse/KAFKA-9366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17515311#comment-17515311
]
Bruno Cadonna commented on KAFKA-9366:
--------------------------------------
[~akansh] As stated in the mailing list thread [~showuon] posted above, we will
not upgrade to log4j2 in 3.2.0 due to risks of breaking backward compatibility.
However, we will replace log4j12 with reload4j in 3.2.0 and 3.1.1 to account
for the CVE. I merged the corresponding PR yesterday (see
https://issues.apache.org/jira/browse/KAFKA-13660). We plan to move to log4j2
in the next major release 4.0.0.
> Upgrade log4j to log4j2
> -----------------------
>
> Key: KAFKA-9366
> URL: https://issues.apache.org/jira/browse/KAFKA-9366
> Project: Kafka
> Issue Type: Bug
> Components: core
> Affects Versions: 2.2.0, 2.1.1, 2.3.0, 2.4.0
> Reporter: leibo
> Assignee: Dongjin Lee
> Priority: Critical
> Labels: needs-kip
> Fix For: 3.3.0
>
>
> h2. CVE-2019-17571 Detail
> Included in Log4j 1.2 is a SocketServer class that is vulnerable to
> deserialization of untrusted data which can be exploited to remotely execute
> arbitrary code when combined with a deserialization gadget when listening to
> untrusted network traffic for log data. This affects Log4j versions up to 1.2
> up to 1.2.17.
>
> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571]
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
