There are two KIPs already related to this effort KIP-653 https://cwiki.apache.org/confluence/display/KAFKA/KIP-653%3A+Upgrade+log4j+to+log4j2
KIP-676 https://cwiki.apache.org/confluence/display/KAFKA/KIP-676%3A+Respect+logging+hierarchy I believe the work is in progress, feel free to reach out to the contributors if you are able to contribute to the effort by coding, reviewing PRs, submitting documentation etc Israel Ekpo Lead Instructor, IzzyAcademy.com https://www.youtube.com/c/izzyacademy https://izzyacademy.com/ On Mon, Jan 10, 2022 at 10:12 AM Brosy, Franziska < franziska.br...@wido.bv.aok.de> wrote: > Well. Hopefully there is someone who is able and willingly to do that > work. > I'm so sorry that I can't help. > > Best regards > Franziska > > -----Ursprüngliche Nachricht----- > Von: Tauzell, Dave <dave.tauz...@surescripts.com> > Gesendet: Montag, 10. Januar 2022 14:30 > An: users@kafka.apache.org > Betreff: Re: Log4j 1.2 > > Log4j 2.x isn't a drop-in replacement for 1.x. It isn't a difficult > change but somebody does need to go through all the source code and do the > work. > > > -Dave > > From: Brosy, Franziska <franziska.br...@wido.bv.aok.de> > Date: Monday, January 10, 2022 at 3:16 AM > To: users@kafka.apache.org <users@kafka.apache.org> > Subject: [EXTERNAL] AW: Log4j 1.2 > Hi Roger, > > maybe I wasn't clear enough. I'm not using kafka by myself. I'm customer > of the MicroStrategy Plattform. MicroStrategy uses Kafka. Here is the > problem. An old Log4j 1.2 is delivered with kafka. > > > https://urldefense.com/v3/__https://www.apache.org/dyn/closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$ > < > https://urldefense.com/v3/__https:/www.apache.org/dyn/closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$ > > > kafka_2.13-3.0.0\libs\log4j-1.2.17.jar > > Your advice to cve-2021-44228 is outdated. It is solved in Log4j 2.17! > So why is kafka delivered with Log4j 1.2 instead of Log4j 2.17?? > > Stick to a very old version is definitely not secure! Yes, you can use a > smartphone with Android 4.2 but you wouldn't expect there is an emergency > to do so - would you? > > Can you please tell me when kafka will be upgraded to Log4j at least 2.17? > Otherwise can you please tell me what's the reason to stick to such an old > Log4j version and run into security risks? > > Best regards > Franziska > > > -----Ursprüngliche Nachricht----- > Von: Murilo Tavares <murilo...@gmail.com> > Gesendet: Freitag, 7. Januar 2022 20:23 > An: users@kafka.apache.org > Betreff: Re: Log4j 1.2 > > Also worth mentioning the Kafka community has released this official > announcement: > > https://urldefense.com/v3/__https://kafka.apache.org/cve-list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNwaYQJzA$ > < > https://urldefense.com/v3/__https:/kafka.apache.org/cve-list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNwaYQJzA$ > > > > > On Fri, 7 Jan 2022 at 09:28, Roger Kasinsky <roger.kasin...@gmail.com> > wrote: > > > Hi Franziska, > > > > When upgrading to Log4J 2.x.x, take extra care not to upgrade to a > > 2.x.x version that has a more recent serious security flaw, much worse > > than the one you mentioned. You can read more about it here: > > https://urldefense.com/v3/__https://access.redhat.com/security/cve/cve > > -2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskq > > PDIWy8R-xYG0aDEMAezzM4gV-mDw$<https://urldefense.com/v3/__https:/acces > > s.redhat.com/security/cve/cve-2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pf > > MBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzM4gV-mDw$> > > > > Thanks! > > > > -R > > > > > > On Fri, Jan 7, 2022 at 10:26 AM Brosy, Franziska < > > franziska.br...@wido.bv.aok.de> wrote: > > > > > Hi all, > > > > > > can you please tell us why Kafka is still using Log4j 1.2? And when > > > it is planned to upgrade the Log4j version?? > > > Do you know this security vulnerability?: > > > https://urldefense.com/v3/__https://logging.apache.org/log4j/1.2/__; > > > !!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0 > > > aDEMAezzOOQFfqlA$<https://urldefense.com/v3/__https:/logging.apache. > > > org/log4j/1.2/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu > > > 3lskqPDIWy8R-xYG0aDEMAezzOOQFfqlA$> > > > > > > A security vulnerability, CVE-2019-17571< > > > https://urldefense.com/v3/__https://www.cvedetails.com/cve/CVE-2019- > > > 17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDI > > > Wy8R-xYG0aDEMAezzNT4lvIFw$<https://urldefense.com/v3/__https:/www.cv > > > edetails.com/cve/CVE-2019-17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGclj > > > RQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNT4lvIFw$> > has been > > > identified against Log4j 1. Log4j includes a SocketServer that > > > accepts serialized > > log > > > events and deserializes them without verifying whether the objects > > > are allowed or not. This can provide an attack vector that can be > expoited. > > > Since Log4j 1 is no longer maintained this issue will not be fixed. > > > Users are urged to upgrade to Log4j 2. > > > > > > Best regards > > > Franziska > > > > > > This e-mail and any files transmitted with it are confidential, may > contain sensitive information, and are intended solely for the use of the > individual or entity to whom they are addressed. If you have received this > e-mail in error, please notify the sender by reply e-mail immediately and > destroy all copies of the e-mail and any attachments. >
