Explained in another thread log4j api is separate from implementation. Its
possible to remove log4j 1.2 jars from classpath and upgrade to log4j
2.17.1 without changing a line of code in kafka.


On Monday, January 10, 2022, Tauzell, Dave <dave.tauz...@surescripts.com>
wrote:

> Thanks.  Those KIPs show that there is a fair amount of work for this.
>
> From: Israel Ekpo <israele...@gmail.com>
> Date: Monday, January 10, 2022 at 9:32 AM
> To: users@kafka.apache.org <users@kafka.apache.org>
> Subject: [EXTERNAL] Re: Log4j 1.2
> There are two KIPs already related to this effort
>
> KIP-653
> https://urldefense.com/v3/__https://cwiki.apache.org/
> confluence/display/KAFKA/KIP-653*3A*Upgrade*log4j*to*
> log4j2__;JSsrKys!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-
> 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQiwF2wVQ$<https://urldefense.com/v3/__https:/
> cwiki.apache.org/confluence/display/KAFKA/KIP-653*3A*
> Upgrade*log4j*to*log4j2__;JSsrKys!!K_cMf-SQz-o!L-WI4wlYZXr-
> uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQiwF2wVQ$>
>
> KIP-676
> https://urldefense.com/v3/__https://cwiki.apache.org/
> confluence/display/KAFKA/KIP-676*3A*Respect*logging*
> hierarchy__;JSsrKw!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-
> 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQF_CNUlw$<https://urldefense.com/v3/__https:/
> cwiki.apache.org/confluence/display/KAFKA/KIP-676*3A*
> Respect*logging*hierarchy__;JSsrKw!!K_cMf-SQz-o!L-WI4wlYZXr-
> uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQF_CNUlw$>
>
> I believe the work is in progress, feel free to reach out to the
> contributors if you are able to contribute to the effort by coding,
> reviewing PRs, submitting documentation etc
>
>
> Israel Ekpo
> Lead Instructor, IzzyAcademy.com
> https://urldefense.com/v3/__https://www.youtube.com/c/
> izzyacademy__;!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-
> 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fTVljfFMg$<https://urldefense.com/v3/__https:/
> www.youtube.com/c/izzyacademy__;!!K_cMf-SQz-o!L-WI4wlYZXr-
> uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fTVljfFMg$>
> https://urldefense.com/v3/__https://izzyacademy.com/__;!!
> K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-
> dphlW1fQ3lp3_fQ$<https://urldefense.com/v3/__https:/
> izzyacademy.com/__;!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-
> 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQ3lp3_fQ$>
>
>
> On Mon, Jan 10, 2022 at 10:12 AM Brosy, Franziska <
> franziska.br...@wido.bv.aok.de> wrote:
>
> > Well. Hopefully there is someone who is able and willingly to do that
> > work.
> > I'm so sorry that I can't help.
> >
> > Best regards
> > Franziska
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Tauzell, Dave <dave.tauz...@surescripts.com>
> > Gesendet: Montag, 10. Januar 2022 14:30
> > An: users@kafka.apache.org
> > Betreff: Re: Log4j 1.2
> >
> > Log4j 2.x isn't a drop-in replacement for 1.x.   It isn't a difficult
> > change but somebody does need to go through all the source code and do
> the
> > work.
> >
> >
> > -Dave
> >
> > From: Brosy, Franziska <franziska.br...@wido.bv.aok.de>
> > Date: Monday, January 10, 2022 at 3:16 AM
> > To: users@kafka.apache.org <users@kafka.apache.org>
> > Subject: [EXTERNAL] AW: Log4j 1.2
> > Hi Roger,
> >
> > maybe I wasn't clear enough. I'm not using kafka by myself. I'm customer
> > of the MicroStrategy Plattform. MicroStrategy uses Kafka. Here is the
> > problem. An old Log4j 1.2 is delivered with kafka.
> >
> >
> > https://urldefense.com/v3/__https://www.apache.org/dyn/
> closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!
> LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$<
> https://urldefense.com/v3/__https:/www.apache.org/dyn/closer.cgi?
> path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!
> LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$>
> > <
> > https://urldefense.com/v3/__https:/www.apache.org/dyn/
> closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!
> LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$
> > >
> > kafka_2.13-3.0.0\libs\log4j-1.2.17.jar
> >
> > Your advice to cve-2021-44228 is outdated. It is solved in Log4j 2.17!
> > So why is kafka delivered with Log4j 1.2 instead of Log4j 2.17??
> >
> > Stick to a very old version is definitely not secure! Yes, you can use a
> > smartphone with Android 4.2 but you wouldn't expect there is an emergency
> > to do so - would you?
> >
> > Can you please tell me when kafka will be upgraded to Log4j at least
> 2.17?
> > Otherwise can you please tell me what's the reason to stick to such an
> old
> > Log4j version and run into security risks?
> >
> > Best regards
> > Franziska
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Murilo Tavares <murilo...@gmail.com>
> > Gesendet: Freitag, 7. Januar 2022 20:23
> > An: users@kafka.apache.org
> > Betreff: Re: Log4j 1.2
> >
> > Also worth mentioning the Kafka community has released this official
> > announcement:
> >
> > https://urldefense.com/v3/__https://kafka.apache.org/cve-
> list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-
> xYG0aDEMAezzNwaYQJzA$<https://urldefense.com/v3/__https:/
> kafka.apache.org/cve-list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN
> 7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNwaYQJzA$>
> > <
> > https://urldefense.com/v3/__https:/kafka.apache.org/cve-
> list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-
> xYG0aDEMAezzNwaYQJzA$
> > >
> >
> >
> > On Fri, 7 Jan 2022 at 09:28, Roger Kasinsky <roger.kasin...@gmail.com>
> > wrote:
> >
> > > Hi Franziska,
> > >
> > > When upgrading to Log4J 2.x.x, take extra care not to upgrade to a
> > > 2.x.x version that has a more recent serious security flaw, much worse
> > > than the one you mentioned. You can read more about it here:
> > > https://urldefense.com/v3/__https://access.redhat.com/security/cve/cve
> <https://urldefense.com/v3/__https:/access.redhat.com/security/cve/cve>
> > > -2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskq
> > > PDIWy8R-xYG0aDEMAezzM4gV-mDw$<https://urldefense.com/v3/__https:/acces
> > > s.redhat.com/security/cve/cve-2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pf
> > > MBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzM4gV-mDw$>
> > >
> > > Thanks!
> > >
> > > -R
> > >
> > >
> > > On Fri, Jan 7, 2022 at 10:26 AM Brosy, Franziska <
> > > franziska.br...@wido.bv.aok.de> wrote:
> > >
> > > > Hi all,
> > > >
> > > > can you please tell us why Kafka is still using Log4j 1.2? And when
> > > > it is planned to upgrade the Log4j version??
> > > > Do you know this security vulnerability?:
> > > > https://urldefense.com/v3/__https://logging.apache.org/log4j/1.2/__<
> https://urldefense.com/v3/__https:/logging.apache.org/log4j/1.2/__>;
> > > > !!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0
> > > > aDEMAezzOOQFfqlA$<https://urldefense.com/v3/__https:/logging.apache.
> > > > org/log4j/1.2/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu
> > > > 3lskqPDIWy8R-xYG0aDEMAezzOOQFfqlA$>
> > > >
> > > > A security vulnerability, CVE-2019-17571<
> > > > https://urldefense.com/v3/__https://www.cvedetails.com/cve/CVE-2019-
> <https://urldefense.com/v3/__https:/www.cvedetails.com/cve/CVE-2019->
> > > > 17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDI
> > > > Wy8R-xYG0aDEMAezzNT4lvIFw$<https://urldefense.com/v3/__https:/www.cv
> > > > edetails.com/cve/CVE-2019-17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGclj
> > > > RQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNT4lvIFw$> > has been
> > > > identified against Log4j 1. Log4j includes a SocketServer that
> > > > accepts serialized
> > > log
> > > > events and deserializes them without verifying whether the objects
> > > > are allowed or not. This can provide an attack vector that can be
> > expoited.
> > > > Since Log4j 1 is no longer maintained this issue will not be fixed.
> > > > Users are urged to upgrade to Log4j 2.
> > > >
> > > > Best regards
> > > > Franziska
> > > >
> > >
> > This e-mail and any files transmitted with it are confidential, may
> > contain sensitive information, and are intended solely for the use of the
> > individual or entity to whom they are addressed. If you have received
> this
> > e-mail in error, please notify the sender by reply e-mail immediately and
> > destroy all copies of the e-mail and any attachments.
> >
> This e-mail and any files transmitted with it are confidential, may
> contain sensitive information, and are intended solely for the use of the
> individual or entity to whom they are addressed. If you have received this
> e-mail in error, please notify the sender by reply e-mail immediately and
> destroy all copies of the e-mail and any attachments.
>


-- 
Sorry this was sent from mobile. Will do less grammar and spell check than
usual.

Reply via email to