[ https://issues.apache.org/jira/browse/KAFKA-9366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17515252#comment-17515252 ]
Akansh Shandilya commented on KAFKA-9366: ----------------------------------------- [~showuon] I appreciate your dedication and efforts to resolve log4j 1.x EOL version from Kafka. Log4j 1.x is declared End-of-Life by Apache-log4j in 2015. Apache-Kafka is still using. As well as security scanners are reporting EOL version of log4j as vulnerability in Kafka, and there is little scope to explain it to whole world. [~showuon] please discuss and review to find a solution with user, who has blocked chance of log4j upgrade (log4j 1.x to log4j 2.x) in Kafka. > Upgrade log4j to log4j2 > ----------------------- > > Key: KAFKA-9366 > URL: https://issues.apache.org/jira/browse/KAFKA-9366 > Project: Kafka > Issue Type: Bug > Components: core > Affects Versions: 2.2.0, 2.1.1, 2.3.0, 2.4.0 > Reporter: leibo > Assignee: Dongjin Lee > Priority: Critical > Labels: needs-kip > Fix For: 3.3.0 > > > h2. CVE-2019-17571 Detail > Included in Log4j 1.2 is a SocketServer class that is vulnerable to > deserialization of untrusted data which can be exploited to remotely execute > arbitrary code when combined with a deserialization gadget when listening to > untrusted network traffic for log data. This affects Log4j versions up to 1.2 > up to 1.2.17. > > [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571] > -- This message was sent by Atlassian Jira (v8.20.1#820001)