Hi Franziska, When upgrading to Log4J 2.x.x, take extra care not to upgrade to a 2.x.x version that has a more recent serious security flaw, much worse than the one you mentioned. You can read more about it here: https://access.redhat.com/security/cve/cve-2021-44228
Thanks! -R On Fri, Jan 7, 2022 at 10:26 AM Brosy, Franziska < franziska.br...@wido.bv.aok.de> wrote: > Hi all, > > can you please tell us why Kafka is still using Log4j 1.2? And when it is > planned to upgrade the Log4j version?? > Do you know this security vulnerability?: > https://logging.apache.org/log4j/1.2/ > > A security vulnerability, CVE-2019-17571< > https://www.cvedetails.com/cve/CVE-2019-17571/> has been identified > against Log4j 1. Log4j includes a SocketServer that accepts serialized log > events and deserializes them without verifying whether the objects are > allowed or not. This can provide an attack vector that can be expoited. > Since Log4j 1 is no longer maintained this issue will not be fixed. Users > are urged to upgrade to Log4j 2. > > Best regards > Franziska >