Hi all, can you please tell us why Kafka is still using Log4j 1.2? And when it is planned to upgrade the Log4j version?? Do you know this security vulnerability?: https://logging.apache.org/log4j/1.2/
A security vulnerability, CVE-2019-17571<https://www.cvedetails.com/cve/CVE-2019-17571/> has been identified against Log4j 1. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited. Since Log4j 1 is no longer maintained this issue will not be fixed. Users are urged to upgrade to Log4j 2. Best regards Franziska
