Also worth mentioning the Kafka community has released this official announcement: https://kafka.apache.org/cve-list
On Fri, 7 Jan 2022 at 09:28, Roger Kasinsky <roger.kasin...@gmail.com> wrote: > Hi Franziska, > > When upgrading to Log4J 2.x.x, take extra care not to upgrade to a 2.x.x > version that has a more recent serious security flaw, much worse than the > one you mentioned. You can read more about it here: > https://access.redhat.com/security/cve/cve-2021-44228 > > Thanks! > > -R > > > On Fri, Jan 7, 2022 at 10:26 AM Brosy, Franziska < > franziska.br...@wido.bv.aok.de> wrote: > > > Hi all, > > > > can you please tell us why Kafka is still using Log4j 1.2? And when it is > > planned to upgrade the Log4j version?? > > Do you know this security vulnerability?: > > https://logging.apache.org/log4j/1.2/ > > > > A security vulnerability, CVE-2019-17571< > > https://www.cvedetails.com/cve/CVE-2019-17571/> has been identified > > against Log4j 1. Log4j includes a SocketServer that accepts serialized > log > > events and deserializes them without verifying whether the objects are > > allowed or not. This can provide an attack vector that can be expoited. > > Since Log4j 1 is no longer maintained this issue will not be fixed. Users > > are urged to upgrade to Log4j 2. > > > > Best regards > > Franziska > > >