Hi David Ballano Fernandez, Thanks for reporting this issue. Yes, this is the most critical 0-day vulnerability for security members. I've been investigating this CVE for a while, and I confirmed that* log4j 1.x versions are not affected by this vulnerability.* That is, *Kafka, which is using log4j 1.x, is not affected by this vulnerability*. So, users can safely use Kafka without worries! :)
REF: Here, the PMC of log4j 2 comment on the PR to fix the vulnerability here <https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126> and said: *Update (2021-12-11 09:09 JST): according to this analysis <https://twitter.com/ceki/status/1469449618316533762> by @ceki <https://github.com/ceki> (the author of log4j 1.x), Log4j 1.x is not impacted, since it does not have lookups, and the JMS Appender only loads Strings from the remote server, not serialized objects.* That is, log4j 1 is actually another project from log4j 2, and the author of the log4j 1 confirmed log4j 1 is not impacted by this vulnerability! Thank you *.* Luke On Sat, Dec 11, 2021 at 6:42 AM David Ballano Fernandez < dfernan...@demonware.net> wrote: > Hi All, > > I wonder if you guys have heard about this vulnerability > https://www.randori.com/blog/cve-2021-44228/ affecting log4j v1 and v2 > as far as i can see kafka 2.7 and 2.8 are using log4j v1. which is only > affected if using jms appender. > > any thoughts? > > Thanks! >
