[
https://issues.apache.org/jira/browse/KAFKA-9366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17511814#comment-17511814
]
Bruno Cadonna commented on KAFKA-9366:
--------------------------------------
[~brandonk] Actually, I removed it from the 3.2.0 release and postponed it to
the 3.3.0 release. You are welcome to comment in the discussion thread
[~showuon] posted above. You could lay out your arguments and propose to block
the 3.2.0 release on this ticket. You could also comment on the compatibility
issues that were brought up in the thread from user perspective. All of these
would help us to take a good decision about how to proceed.
> Upgrade log4j to log4j2
> -----------------------
>
> Key: KAFKA-9366
> URL: https://issues.apache.org/jira/browse/KAFKA-9366
> Project: Kafka
> Issue Type: Bug
> Components: core
> Affects Versions: 2.2.0, 2.1.1, 2.3.0, 2.4.0
> Reporter: leibo
> Assignee: Dongjin Lee
> Priority: Critical
> Labels: needs-kip
> Fix For: 3.3.0
>
>
> h2. CVE-2019-17571 Detail
> Included in Log4j 1.2 is a SocketServer class that is vulnerable to
> deserialization of untrusted data which can be exploited to remotely execute
> arbitrary code when combined with a deserialization gadget when listening to
> untrusted network traffic for log data. This affects Log4j versions up to 1.2
> up to 1.2.17.
>
> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571]
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
