You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Sandip Bhunia <sa...@tcs.com.INVALID> on 2022/03/29 06:39:16 UTC
Need Help - getting vulnerability due to Log4j- v1.2.17 jar being used in Kafka_2.11-2.4.0.
Dear Team,
We are getting vulnerability due to Log4j- v1.2.17 jar being used in Kafka_2.11-2.4.0.
We tried to upgrade the same to Kafka_2.13-3.1.0 to remediate vulnerability due to Log4j- v1.2.17 (obsolete version- Log4j 1.x has reached End of Life in 2015 and is no longer supported.) but found this version of Kafka do not use Log4j v2.X
As per your website there is no such information available. Please let us know when this will get upgraded. Please us know how to get this vulnerability remediated as we need to upgrade Log4j to v2.x
Thanks & Regards,
Sandip Bhunia
Cell: 9932245061
Em@il<ma...@il> : sandip.bhunia@tcs.com<ma...@tcs.com>
Advance Notice of Holidays:
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
Re: Need Help - getting vulnerability due to Log4j- v1.2.17 jar being used in Kafka_2.11-2.4.0.
Posted by Bruno Cadonna <ca...@apache.org>.
Hi Sandip,
I just merged the PR https://github.com/apache/kafka/pull/11743 that
replaces log4j with reload4j. Reload4j will be part of Apache Kafka
3.2.0 and 3.1.1.
Best,
Bruno
On 30.03.22 04:26, Luke Chen wrote:
> Hi Sandip,
>
> We plan to replace log4j with reload4j in v3.2.0 and v3.1.1. (KAFKA-13660
> <https://issues.apache.org/jira/browse/KAFKA-13660>)
> And plan to upgrade to log4j2 in v4.0.0.
>
> You can check this discussion thread for more details:
> https://lists.apache.org/thread/qo1y3249xldt4cpg6r8zkcq5m1q32bf1
>
> Thank you.
> Luke
>
> On Tue, Mar 29, 2022 at 10:18 PM Sandip Bhunia
> <sa...@tcs.com.invalid> wrote:
>
>> Dear Team,
>>
>> We are getting vulnerability due to Log4j- v1.2.17 jar being used in
>> Kafka_2.11-2.4.0.
>> We tried to upgrade the same to Kafka_2.13-3.1.0 to remediate
>> vulnerability due to Log4j- v1.2.17 (obsolete version- Log4j 1.x has
>> reached End of Life in 2015 and is no longer supported.) but found this
>> version of Kafka do not use Log4j v2.X
>>
>> As per your website there is no such information available. Please let us
>> know when this will get upgraded. Please us know how to get this
>> vulnerability remediated as we need to upgrade Log4j to v2.x
>>
>>
>>
>> *Thanks & Regards,*
>> *Sandip Bhunia*
>>
>> *Cell: 9932245061 **Em@il* <Em...@il> *: **sandip.bhunia@tcs.com*
>> <sa...@tcs.com>
>>
>>
>> *Advance Notice of Holidays: *
>>
>>
>>
>>
>> =====-----=====-----=====
>> Notice: The information contained in this e-mail
>> message and/or attachments to it may contain
>> confidential or privileged information. If you are
>> not the intended recipient, any dissemination, use,
>> review, distribution, printing or copying of the
>> information contained in this e-mail message
>> and/or attachments to it are strictly prohibited. If
>> you have received this communication in error,
>> please notify us by reply e-mail or telephone and
>> immediately and permanently delete the message
>> and any attachments. Thank you
>>
>>
>
Re: Need Help - getting vulnerability due to Log4j- v1.2.17 jar being used in Kafka_2.11-2.4.0.
Posted by Luke Chen <sh...@gmail.com>.
Hi Sandip,
We plan to replace log4j with reload4j in v3.2.0 and v3.1.1. (KAFKA-13660
<https://issues.apache.org/jira/browse/KAFKA-13660>)
And plan to upgrade to log4j2 in v4.0.0.
You can check this discussion thread for more details:
https://lists.apache.org/thread/qo1y3249xldt4cpg6r8zkcq5m1q32bf1
Thank you.
Luke
On Tue, Mar 29, 2022 at 10:18 PM Sandip Bhunia
<sa...@tcs.com.invalid> wrote:
> Dear Team,
>
> We are getting vulnerability due to Log4j- v1.2.17 jar being used in
> Kafka_2.11-2.4.0.
> We tried to upgrade the same to Kafka_2.13-3.1.0 to remediate
> vulnerability due to Log4j- v1.2.17 (obsolete version- Log4j 1.x has
> reached End of Life in 2015 and is no longer supported.) but found this
> version of Kafka do not use Log4j v2.X
>
> As per your website there is no such information available. Please let us
> know when this will get upgraded. Please us know how to get this
> vulnerability remediated as we need to upgrade Log4j to v2.x
>
>
>
> *Thanks & Regards,*
> *Sandip Bhunia*
>
> *Cell: 9932245061 **Em@il* <Em...@il> *: **sandip.bhunia@tcs.com*
> <sa...@tcs.com>
>
>
> *Advance Notice of Holidays: *
>
>
>
>
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
>
>