Explained in another thread log4j api is separate from implementation. Its possible to remove log4j 1.2 jars from classpath and upgrade to log4j 2.17.1 without changing a line of code in kafka.
On Monday, January 10, 2022, Tauzell, Dave <dave.tauz...@surescripts.com> wrote: > Thanks. Those KIPs show that there is a fair amount of work for this. > > From: Israel Ekpo <israele...@gmail.com> > Date: Monday, January 10, 2022 at 9:32 AM > To: users@kafka.apache.org <users@kafka.apache.org> > Subject: [EXTERNAL] Re: Log4j 1.2 > There are two KIPs already related to this effort > > KIP-653 > https://urldefense.com/v3/__https://cwiki.apache.org/ > confluence/display/KAFKA/KIP-653*3A*Upgrade*log4j*to* > log4j2__;JSsrKys!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV- > 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQiwF2wVQ$<https://urldefense.com/v3/__https:/ > cwiki.apache.org/confluence/display/KAFKA/KIP-653*3A* > Upgrade*log4j*to*log4j2__;JSsrKys!!K_cMf-SQz-o!L-WI4wlYZXr- > uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQiwF2wVQ$> > > KIP-676 > https://urldefense.com/v3/__https://cwiki.apache.org/ > confluence/display/KAFKA/KIP-676*3A*Respect*logging* > hierarchy__;JSsrKw!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV- > 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQF_CNUlw$<https://urldefense.com/v3/__https:/ > cwiki.apache.org/confluence/display/KAFKA/KIP-676*3A* > Respect*logging*hierarchy__;JSsrKw!!K_cMf-SQz-o!L-WI4wlYZXr- > uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQF_CNUlw$> > > I believe the work is in progress, feel free to reach out to the > contributors if you are able to contribute to the effort by coding, > reviewing PRs, submitting documentation etc > > > Israel Ekpo > Lead Instructor, IzzyAcademy.com > https://urldefense.com/v3/__https://www.youtube.com/c/ > izzyacademy__;!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV- > 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fTVljfFMg$<https://urldefense.com/v3/__https:/ > www.youtube.com/c/izzyacademy__;!!K_cMf-SQz-o!L-WI4wlYZXr- > uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fTVljfFMg$> > https://urldefense.com/v3/__https://izzyacademy.com/__;!! > K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I- > dphlW1fQ3lp3_fQ$<https://urldefense.com/v3/__https:/ > izzyacademy.com/__;!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV- > 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQ3lp3_fQ$> > > > On Mon, Jan 10, 2022 at 10:12 AM Brosy, Franziska < > franziska.br...@wido.bv.aok.de> wrote: > > > Well. Hopefully there is someone who is able and willingly to do that > > work. > > I'm so sorry that I can't help. > > > > Best regards > > Franziska > > > > -----Ursprüngliche Nachricht----- > > Von: Tauzell, Dave <dave.tauz...@surescripts.com> > > Gesendet: Montag, 10. Januar 2022 14:30 > > An: users@kafka.apache.org > > Betreff: Re: Log4j 1.2 > > > > Log4j 2.x isn't a drop-in replacement for 1.x. It isn't a difficult > > change but somebody does need to go through all the source code and do > the > > work. > > > > > > -Dave > > > > From: Brosy, Franziska <franziska.br...@wido.bv.aok.de> > > Date: Monday, January 10, 2022 at 3:16 AM > > To: users@kafka.apache.org <users@kafka.apache.org> > > Subject: [EXTERNAL] AW: Log4j 1.2 > > Hi Roger, > > > > maybe I wasn't clear enough. I'm not using kafka by myself. I'm customer > > of the MicroStrategy Plattform. MicroStrategy uses Kafka. Here is the > > problem. An old Log4j 1.2 is delivered with kafka. > > > > > > https://urldefense.com/v3/__https://www.apache.org/dyn/ > closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o! > LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$< > https://urldefense.com/v3/__https:/www.apache.org/dyn/closer.cgi? > path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o! > LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$> > > < > > https://urldefense.com/v3/__https:/www.apache.org/dyn/ > closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o! > LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$ > > > > > kafka_2.13-3.0.0\libs\log4j-1.2.17.jar > > > > Your advice to cve-2021-44228 is outdated. It is solved in Log4j 2.17! > > So why is kafka delivered with Log4j 1.2 instead of Log4j 2.17?? > > > > Stick to a very old version is definitely not secure! Yes, you can use a > > smartphone with Android 4.2 but you wouldn't expect there is an emergency > > to do so - would you? > > > > Can you please tell me when kafka will be upgraded to Log4j at least > 2.17? > > Otherwise can you please tell me what's the reason to stick to such an > old > > Log4j version and run into security risks? > > > > Best regards > > Franziska > > > > > > -----Ursprüngliche Nachricht----- > > Von: Murilo Tavares <murilo...@gmail.com> > > Gesendet: Freitag, 7. Januar 2022 20:23 > > An: users@kafka.apache.org > > Betreff: Re: Log4j 1.2 > > > > Also worth mentioning the Kafka community has released this official > > announcement: > > > > https://urldefense.com/v3/__https://kafka.apache.org/cve- > list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R- > xYG0aDEMAezzNwaYQJzA$<https://urldefense.com/v3/__https:/ > kafka.apache.org/cve-list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN > 7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNwaYQJzA$> > > < > > https://urldefense.com/v3/__https:/kafka.apache.org/cve- > list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R- > xYG0aDEMAezzNwaYQJzA$ > > > > > > > > > On Fri, 7 Jan 2022 at 09:28, Roger Kasinsky <roger.kasin...@gmail.com> > > wrote: > > > > > Hi Franziska, > > > > > > When upgrading to Log4J 2.x.x, take extra care not to upgrade to a > > > 2.x.x version that has a more recent serious security flaw, much worse > > > than the one you mentioned. You can read more about it here: > > > https://urldefense.com/v3/__https://access.redhat.com/security/cve/cve > <https://urldefense.com/v3/__https:/access.redhat.com/security/cve/cve> > > > -2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskq > > > PDIWy8R-xYG0aDEMAezzM4gV-mDw$<https://urldefense.com/v3/__https:/acces > > > s.redhat.com/security/cve/cve-2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pf > > > MBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzM4gV-mDw$> > > > > > > Thanks! > > > > > > -R > > > > > > > > > On Fri, Jan 7, 2022 at 10:26 AM Brosy, Franziska < > > > franziska.br...@wido.bv.aok.de> wrote: > > > > > > > Hi all, > > > > > > > > can you please tell us why Kafka is still using Log4j 1.2? And when > > > > it is planned to upgrade the Log4j version?? > > > > Do you know this security vulnerability?: > > > > https://urldefense.com/v3/__https://logging.apache.org/log4j/1.2/__< > https://urldefense.com/v3/__https:/logging.apache.org/log4j/1.2/__>; > > > > !!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0 > > > > aDEMAezzOOQFfqlA$<https://urldefense.com/v3/__https:/logging.apache. > > > > org/log4j/1.2/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu > > > > 3lskqPDIWy8R-xYG0aDEMAezzOOQFfqlA$> > > > > > > > > A security vulnerability, CVE-2019-17571< > > > > https://urldefense.com/v3/__https://www.cvedetails.com/cve/CVE-2019- > <https://urldefense.com/v3/__https:/www.cvedetails.com/cve/CVE-2019-> > > > > 17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDI > > > > Wy8R-xYG0aDEMAezzNT4lvIFw$<https://urldefense.com/v3/__https:/www.cv > > > > edetails.com/cve/CVE-2019-17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGclj > > > > RQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNT4lvIFw$> > has been > > > > identified against Log4j 1. Log4j includes a SocketServer that > > > > accepts serialized > > > log > > > > events and deserializes them without verifying whether the objects > > > > are allowed or not. This can provide an attack vector that can be > > expoited. > > > > Since Log4j 1 is no longer maintained this issue will not be fixed. > > > > Users are urged to upgrade to Log4j 2. > > > > > > > > Best regards > > > > Franziska > > > > > > > > > This e-mail and any files transmitted with it are confidential, may > > contain sensitive information, and are intended solely for the use of the > > individual or entity to whom they are addressed. If you have received > this > > e-mail in error, please notify the sender by reply e-mail immediately and > > destroy all copies of the e-mail and any attachments. > > > This e-mail and any files transmitted with it are confidential, may > contain sensitive information, and are intended solely for the use of the > individual or entity to whom they are addressed. If you have received this > e-mail in error, please notify the sender by reply e-mail immediately and > destroy all copies of the e-mail and any attachments. > -- Sorry this was sent from mobile. Will do less grammar and spell check than usual.
