Re: Consumer failure after rolling Broker upgrade

2021-12-22 Thread Luke Chen
Hi James, I've filed a bug in JIRA: KAFKA-13563 . I'll investigate this issue. Thank you. Luke On Wed, Dec 22, 2021 at 2:49 AM James Olsen wrote: > This failure occurred again during this month's rolling OS security > updates to the Brokers (n

Log4j 2.x preview for Kafka

2021-12-22 Thread Deepak Jain
Hi Luke, We are using Kafka 2.8.1 Broker/Client system in our prod env. Due to the Log4j vulnerability CVE-2021-44228, CVE-2021-45046, CVE-2021-4104 and CVE-2021-45105, we are waiting for kafka to upgrade to Log4j 2.17. However, we came across following link in which there is a preview for the

Re: Log4j 2.x preview for Kafka

2021-12-22 Thread Israel Ekpo
Currently, the core Apache Kafka components do not have any dependencies on log4j2 There may be Kafka connectors that use log4j2 so you would need to check with your connector vendors to see if this applies to those connectors. If you do not use Kafka connect, then this may not apply to you. He

Re: Log4j 2.x preview for Kafka

2021-12-22 Thread Luke Chen
Hi Deepak, As Israel mentioned, the core Apache Kafka components do not have any dependencies on log4j2. The only CVE that core Apache Kafka got impacted is CVE-2021-4104. You can check the official announcement for the mitigation methods here: https://kafka.apache.org/cve-list For the log4j 2.x

Re: Log4j 2.x preview for Kafka

2021-12-22 Thread Deepak Jain
Hi Israel, Thanks for your prompt response but it didn't resolve my query. We are mainly concern about the CVE-2021-4104 vulnerability as Log4j 1.x is use by the core components which are being currently used in our prod env. I just want to know whether the preview in the following link (which use

RE: Log4j 2.x preview for Kafka

2021-12-22 Thread Deepak Jain
Hi Luke, Thanks for your clarification. Just one more query: Since, we do not use the JMS Appender so do we need to apply the mitigation mentioned in the below link for CVE-2021-4104. https://kafka.apache.org/cve-list Regards, Deepak -Original Message- From: Luke Chen Sent: 23 Decemb

Re: Log4j 2.x preview for Kafka

2021-12-22 Thread Luke Chen
Hi Deepak, > Since, we do not use the JMS Appender so do we need to apply the mitigation mentioned in the below link for CVE-2021-4104. https://kafka.apache.org/cve-list >From an application security perspective*, *I'd suggest applying it, to avoid mis-configuration in the future by someone else.