[
https://issues.apache.org/jira/browse/KAFKA-13534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457566#comment-17457566
]
Luke Chen commented on KAFKA-13534:
-----------------------------------
[~svudutala] , thanks for reporting the issue. I've confirmed that Kafka is not
affected by this CVE. Please read my email reply here for more detail:
[https://lists.apache.org/thread/lgbtvvmy68p0059yoyn9qxzosdmx4jdv]
But we have a KIP to upgrade log4j to log4j2. I'll link this ticket to that:
KAFKA-9366
Thank you.
> Upgrade Log4j to 2.15.0 - CVE-2021-44228
> ----------------------------------------
>
> Key: KAFKA-13534
> URL: https://issues.apache.org/jira/browse/KAFKA-13534
> Project: Kafka
> Issue Type: Task
> Affects Versions: 2.7.0, 2.8.0, 3.0.0
> Reporter: Sai Kiran Vudutala
> Priority: Major
>
> Log4j has an RCE vulnerability, see
> [https://www.lunasec.io/docs/blog/log4j-zero-day/]
> References.
> [https://github.com/advisories/GHSA-jfh8-c2jp-5v3q]
> [https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126]
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
