[ https://issues.apache.org/jira/browse/KAFKA-9366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17489791#comment-17489791 ]
Akansh Shandilya commented on KAFKA-9366: ----------------------------------------- Voting has been done by multiple users, and more are the requests for upgrading log4j. Can we set or request ETA for log4j upgrade to log4j2. Any other challenge in doing so. [https://logging.apache.org/log4j/1.2/download.html] Log4j 1.x was End-Of-Llife on August 5, 2015. Kafka and Log4j, both are connected to Apache. As a strong community we need to think :: Does Apache-Kafka require more than 6 years of time to upgrade a log4j library, which was declared End-of-Life by Apache-log4j in 2015. > Upgrade log4j to log4j2 > ----------------------- > > Key: KAFKA-9366 > URL: https://issues.apache.org/jira/browse/KAFKA-9366 > Project: Kafka > Issue Type: Bug > Components: core > Affects Versions: 2.2.0, 2.1.1, 2.3.0, 2.4.0 > Reporter: leibo > Assignee: Dongjin Lee > Priority: Critical > Labels: needs-kip > Fix For: 3.2.0 > > > h2. CVE-2019-17571 Detail > Included in Log4j 1.2 is a SocketServer class that is vulnerable to > deserialization of untrusted data which can be exploited to remotely execute > arbitrary code when combined with a deserialization gadget when listening to > untrusted network traffic for log data. This affects Log4j versions up to 1.2 > up to 1.2.17. > > [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571] > -- This message was sent by Atlassian Jira (v8.20.1#820001)