Also worth mentioning the Kafka community has released this official
announcement:
https://kafka.apache.org/cve-list


On Fri, 7 Jan 2022 at 09:28, Roger Kasinsky <roger.kasin...@gmail.com>
wrote:

> Hi Franziska,
>
> When upgrading to Log4J 2.x.x, take extra care not to upgrade to a 2.x.x
> version that has a more recent serious security flaw, much worse than the
> one you mentioned. You can read more about it here:
> https://access.redhat.com/security/cve/cve-2021-44228
>
> Thanks!
>
> -R
>
>
> On Fri, Jan 7, 2022 at 10:26 AM Brosy, Franziska <
> franziska.br...@wido.bv.aok.de> wrote:
>
> > Hi all,
> >
> > can you please tell us why Kafka is still using Log4j 1.2? And when it is
> > planned to upgrade the Log4j version??
> > Do you know this security vulnerability?:
> > https://logging.apache.org/log4j/1.2/
> >
> > A security vulnerability, CVE-2019-17571<
> > https://www.cvedetails.com/cve/CVE-2019-17571/> has been identified
> > against Log4j 1. Log4j includes a SocketServer that accepts serialized
> log
> > events and deserializes them without verifying whether the objects are
> > allowed or not. This can provide an attack vector that can be expoited.
> > Since Log4j 1 is no longer maintained this issue will not be fixed. Users
> > are urged to upgrade to Log4j 2.
> >
> > Best regards
> > Franziska
> >
>

Reply via email to