Log4j 2.x isn’t a drop-in replacement for 1.x. It isn’t a difficult change but somebody does need to go through all the source code and do the work.
-Dave From: Brosy, Franziska <franziska.br...@wido.bv.aok.de> Date: Monday, January 10, 2022 at 3:16 AM To: users@kafka.apache.org <users@kafka.apache.org> Subject: [EXTERNAL] AW: Log4j 1.2 Hi Roger, maybe I wasn't clear enough. I'm not using kafka by myself. I'm customer of the MicroStrategy Plattform. MicroStrategy uses Kafka. Here is the problem. An old Log4j 1.2 is delivered with kafka. https://urldefense.com/v3/__https://www.apache.org/dyn/closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$<https://urldefense.com/v3/__https:/www.apache.org/dyn/closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$> kafka_2.13-3.0.0\libs\log4j-1.2.17.jar Your advice to cve-2021-44228 is outdated. It is solved in Log4j 2.17! So why is kafka delivered with Log4j 1.2 instead of Log4j 2.17?? Stick to a very old version is definitely not secure! Yes, you can use a smartphone with Android 4.2 but you wouldn't expect there is an emergency to do so - would you? Can you please tell me when kafka will be upgraded to Log4j at least 2.17? Otherwise can you please tell me what's the reason to stick to such an old Log4j version and run into security risks? Best regards Franziska -----Ursprüngliche Nachricht----- Von: Murilo Tavares <murilo...@gmail.com> Gesendet: Freitag, 7. Januar 2022 20:23 An: users@kafka.apache.org Betreff: Re: Log4j 1.2 Also worth mentioning the Kafka community has released this official announcement: https://urldefense.com/v3/__https://kafka.apache.org/cve-list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNwaYQJzA$<https://urldefense.com/v3/__https:/kafka.apache.org/cve-list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNwaYQJzA$> On Fri, 7 Jan 2022 at 09:28, Roger Kasinsky <roger.kasin...@gmail.com> wrote: > Hi Franziska, > > When upgrading to Log4J 2.x.x, take extra care not to upgrade to a > 2.x.x version that has a more recent serious security flaw, much worse > than the one you mentioned. You can read more about it here: > https://urldefense.com/v3/__https://access.redhat.com/security/cve/cve-2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzM4gV-mDw$<https://urldefense.com/v3/__https:/access.redhat.com/security/cve/cve-2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzM4gV-mDw$> > > Thanks! > > -R > > > On Fri, Jan 7, 2022 at 10:26 AM Brosy, Franziska < > franziska.br...@wido.bv.aok.de> wrote: > > > Hi all, > > > > can you please tell us why Kafka is still using Log4j 1.2? And when > > it is planned to upgrade the Log4j version?? > > Do you know this security vulnerability?: > > https://urldefense.com/v3/__https://logging.apache.org/log4j/1.2/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzOOQFfqlA$<https://urldefense.com/v3/__https:/logging.apache.org/log4j/1.2/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzOOQFfqlA$> > > > > A security vulnerability, CVE-2019-17571< > > https://urldefense.com/v3/__https://www.cvedetails.com/cve/CVE-2019-17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNT4lvIFw$<https://urldefense.com/v3/__https:/www.cvedetails.com/cve/CVE-2019-17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNT4lvIFw$> > > > has been identified > > against Log4j 1. Log4j includes a SocketServer that accepts > > serialized > log > > events and deserializes them without verifying whether the objects > > are allowed or not. This can provide an attack vector that can be expoited. > > Since Log4j 1 is no longer maintained this issue will not be fixed. > > Users are urged to upgrade to Log4j 2. > > > > Best regards > > Franziska > > > This e-mail and any files transmitted with it are confidential, may contain sensitive information, and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error, please notify the sender by reply e-mail immediately and destroy all copies of the e-mail and any attachments.
