In general you can delete log4j1.jar Replace with log4jcore_2.17.1.jar And log4japi_2.17.1.jar
Ed On Monday, January 24, 2022, Men Lim <zulu...@gmail.com> wrote: > Is there a write out of the steps that need to be taken? > > On Mon, Jan 24, 2022 at 10:36 AM Edward Capriolo <edlinuxg...@gmail.com> > wrote: > > > Explained in another thread log4j api is separate from implementation. > Its > > possible to remove log4j 1.2 jars from classpath and upgrade to log4j > > 2.17.1 without changing a line of code in kafka. > > > > > > On Monday, January 10, 2022, Tauzell, Dave <dave.tauz...@surescripts.com > > > > wrote: > > > > > Thanks. Those KIPs show that there is a fair amount of work for this. > > > > > > From: Israel Ekpo <israele...@gmail.com> > > > Date: Monday, January 10, 2022 at 9:32 AM > > > To: users@kafka.apache.org <users@kafka.apache.org> > > > Subject: [EXTERNAL] Re: Log4j 1.2 > > > There are two KIPs already related to this effort > > > > > > KIP-653 > > > https://urldefense.com/v3/__https://cwiki.apache.org/ > > > confluence/display/KAFKA/KIP-653*3A*Upgrade*log4j*to* > > > log4j2__;JSsrKys!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV- > > > 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQiwF2wVQ$< > > https://urldefense.com/v3/__https:/ > > > cwiki.apache.org/confluence/display/KAFKA/KIP-653*3A* > > > Upgrade*log4j*to*log4j2__;JSsrKys!!K_cMf-SQz-o!L-WI4wlYZXr- > > > uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQiwF2wVQ$> > > > > > > KIP-676 > > > https://urldefense.com/v3/__https://cwiki.apache.org/ > > > confluence/display/KAFKA/KIP-676*3A*Respect*logging* > > > hierarchy__;JSsrKw!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV- > > > 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQF_CNUlw$< > > https://urldefense.com/v3/__https:/ > > > cwiki.apache.org/confluence/display/KAFKA/KIP-676*3A* > > > Respect*logging*hierarchy__;JSsrKw!!K_cMf-SQz-o!L-WI4wlYZXr- > > > uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQF_CNUlw$> > > > > > > I believe the work is in progress, feel free to reach out to the > > > contributors if you are able to contribute to the effort by coding, > > > reviewing PRs, submitting documentation etc > > > > > > > > > Israel Ekpo > > > Lead Instructor, IzzyAcademy.com > > > https://urldefense.com/v3/__https://www.youtube.com/c/ > > > izzyacademy__;!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV- > > > 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fTVljfFMg$< > > https://urldefense.com/v3/__https:/ > > > www.youtube.com/c/izzyacademy__;!!K_cMf-SQz-o!L-WI4wlYZXr- > > > uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fTVljfFMg$> > > > https://urldefense.com/v3/__https://izzyacademy.com/__;!! > > > K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I- > > > dphlW1fQ3lp3_fQ$<https://urldefense.com/v3/__https:/ > > > izzyacademy.com/__;!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV- > > > 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQ3lp3_fQ$> > > > > > > > > > On Mon, Jan 10, 2022 at 10:12 AM Brosy, Franziska < > > > franziska.br...@wido.bv.aok.de> wrote: > > > > > > > Well. Hopefully there is someone who is able and willingly to do that > > > > work. > > > > I'm so sorry that I can't help. > > > > > > > > Best regards > > > > Franziska > > > > > > > > -----Ursprüngliche Nachricht----- > > > > Von: Tauzell, Dave <dave.tauz...@surescripts.com> > > > > Gesendet: Montag, 10. Januar 2022 14:30 > > > > An: users@kafka.apache.org > > > > Betreff: Re: Log4j 1.2 > > > > > > > > Log4j 2.x isn't a drop-in replacement for 1.x. It isn't a difficult > > > > change but somebody does need to go through all the source code and > do > > > the > > > > work. > > > > > > > > > > > > -Dave > > > > > > > > From: Brosy, Franziska <franziska.br...@wido.bv.aok.de> > > > > Date: Monday, January 10, 2022 at 3:16 AM > > > > To: users@kafka.apache.org <users@kafka.apache.org> > > > > Subject: [EXTERNAL] AW: Log4j 1.2 > > > > Hi Roger, > > > > > > > > maybe I wasn't clear enough. I'm not using kafka by myself. I'm > > customer > > > > of the MicroStrategy Plattform. MicroStrategy uses Kafka. Here is the > > > > problem. An old Log4j 1.2 is delivered with kafka. > > > > > > > > > > > > https://urldefense.com/v3/__https://www.apache.org/dyn/ > > > closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o! > > > LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R- > xYG0aDEMAezzMT0F_bmQ$< > > > https://urldefense.com/v3/__https:/www.apache.org/dyn/closer.cgi? > > > path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o! > > > LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R- > xYG0aDEMAezzMT0F_bmQ$> > > > > < > > > > https://urldefense.com/v3/__https:/www.apache.org/dyn/ > > > closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o! > > > LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R- > xYG0aDEMAezzMT0F_bmQ$ > > > > > > > > > kafka_2.13-3.0.0\libs\log4j-1.2.17.jar > > > > > > > > Your advice to cve-2021-44228 is outdated. It is solved in Log4j > 2.17! > > > > So why is kafka delivered with Log4j 1.2 instead of Log4j 2.17?? > > > > > > > > Stick to a very old version is definitely not secure! Yes, you can > use > > a > > > > smartphone with Android 4.2 but you wouldn't expect there is an > > emergency > > > > to do so - would you? > > > > > > > > Can you please tell me when kafka will be upgraded to Log4j at least > > > 2.17? > > > > Otherwise can you please tell me what's the reason to stick to such > an > > > old > > > > Log4j version and run into security risks? > > > > > > > > Best regards > > > > Franziska > > > > > > > > > > > > -----Ursprüngliche Nachricht----- > > > > Von: Murilo Tavares <murilo...@gmail.com> > > > > Gesendet: Freitag, 7. Januar 2022 20:23 > > > > An: users@kafka.apache.org > > > > Betreff: Re: Log4j 1.2 > > > > > > > > Also worth mentioning the Kafka community has released this official > > > > announcement: > > > > > > > > https://urldefense.com/v3/__https://kafka.apache.org/cve- > > > list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN > 7rnggwu3lskqPDIWy8R- > > > xYG0aDEMAezzNwaYQJzA$<https://urldefense.com/v3/__https:/ > > > kafka.apache.org/cve-list__;!!K_cMf-SQz-o! > LrFhvuhmLy3pfMBGcljRQDNs7bR9WN > > > 7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNwaYQJzA$> > > > > < > > > > https://urldefense.com/v3/__https:/kafka.apache.org/cve- > > > list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN > 7rnggwu3lskqPDIWy8R- > > > xYG0aDEMAezzNwaYQJzA$ > > > > > > > > > > > > > > > > > On Fri, 7 Jan 2022 at 09:28, Roger Kasinsky < > roger.kasin...@gmail.com> > > > > wrote: > > > > > > > > > Hi Franziska, > > > > > > > > > > When upgrading to Log4J 2.x.x, take extra care not to upgrade to a > > > > > 2.x.x version that has a more recent serious security flaw, much > > worse > > > > > than the one you mentioned. You can read more about it here: > > > > > > > https://urldefense.com/v3/__https://access.redhat.com/security/cve/cve > > > <https://urldefense.com/v3/__https:/access.redhat.com/security/cve/cve > > > > > > > > > -2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskq > > > > > PDIWy8R-xYG0aDEMAezzM4gV-mDw$< > > https://urldefense.com/v3/__https:/acces > > > > > > > s.redhat.com/security/cve/cve-2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pf > > > > > MBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzM4gV-mDw$> > > > > > > > > > > Thanks! > > > > > > > > > > -R > > > > > > > > > > > > > > > On Fri, Jan 7, 2022 at 10:26 AM Brosy, Franziska < > > > > > franziska.br...@wido.bv.aok.de> wrote: > > > > > > > > > > > Hi all, > > > > > > > > > > > > can you please tell us why Kafka is still using Log4j 1.2? And > when > > > > > > it is planned to upgrade the Log4j version?? > > > > > > Do you know this security vulnerability?: > > > > > > > > https://urldefense.com/v3/__https://logging.apache.org/log4j/1.2/__< > > > https://urldefense.com/v3/__https:/logging.apache.org/log4j/1.2/__>; > > > > > > > > !!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0 > > > > > > aDEMAezzOOQFfqlA$< > > https://urldefense.com/v3/__https:/logging.apache. > > > > > > > > org/log4j/1.2/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu > > > > > > 3lskqPDIWy8R-xYG0aDEMAezzOOQFfqlA$> > > > > > > > > > > > > A security vulnerability, CVE-2019-17571< > > > > > > > > https://urldefense.com/v3/__https://www.cvedetails.com/cve/CVE-2019- > > > <https://urldefense.com/v3/__https:/www.cvedetails.com/cve/CVE-2019-> > > > > > > > > 17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDI > > > > > > Wy8R-xYG0aDEMAezzNT4lvIFw$< > > https://urldefense.com/v3/__https:/www.cv > > > > > > > > edetails.com/cve/CVE-2019-17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGclj > > > > > > RQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNT4lvIFw$> > has been > > > > > > identified against Log4j 1. Log4j includes a SocketServer that > > > > > > accepts serialized > > > > > log > > > > > > events and deserializes them without verifying whether the > objects > > > > > > are allowed or not. This can provide an attack vector that can be > > > > expoited. > > > > > > Since Log4j 1 is no longer maintained this issue will not be > fixed. > > > > > > Users are urged to upgrade to Log4j 2. > > > > > > > > > > > > Best regards > > > > > > Franziska > > > > > > > > > > > > > > > This e-mail and any files transmitted with it are confidential, may > > > > contain sensitive information, and are intended solely for the use of > > the > > > > individual or entity to whom they are addressed. If you have received > > > this > > > > e-mail in error, please notify the sender by reply e-mail immediately > > and > > > > destroy all copies of the e-mail and any attachments. > > > > > > > This e-mail and any files transmitted with it are confidential, may > > > contain sensitive information, and are intended solely for the use of > the > > > individual or entity to whom they are addressed. If you have received > > this > > > e-mail in error, please notify the sender by reply e-mail immediately > and > > > destroy all copies of the e-mail and any attachments. > > > > > > > > > -- > > Sorry this was sent from mobile. Will do less grammar and spell check > than > > usual. > > > -- Sorry this was sent from mobile. Will do less grammar and spell check than usual.
