You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by GitBox <gi...@apache.org> on 2023/01/12 16:30:43 UTC

[GitHub] [kafka] woja commented on pull request #11743: KAFKA-13660: Switch log4j12 to reload4j

woja commented on PR #11743:
URL: https://github.com/apache/kafka/pull/11743#issuecomment-1380686527

   (apologies if this is not the place for this - if not please forward this or redirect me!)
   
   
   
   Since this is included in 3.2.0 (and cherry picked to 3.1) the cve list (here https://kafka.apache.org/cve-list#) on the homepage is now I think out of date.
   
   For example it states  that "[CVE-2021-4104](https://access.redhat.com/security/cve/CVE-2021-4104) FLAW IN APACHE LOG4J LOGGING LIBRARY IN VERSIONS 1.X" applies to "All AK Versions" and that:
   
   > In the absence of a new log4j 1.x release, one can remove JMSAppender from the log4j-1.2.17.jar artifact. Commands are listed in the page http://slf4j.org/log4shell.html.
   
   ... but these are the changes that reload4j have included (and it's reason for being!) so presumably this (and other reload4j resolved) vulnerabilities now only apply to kafka pre-3.1?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org