You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by GitBox <gi...@apache.org> on 2021/03/04 08:34:28 UTC

[GitHub] [kafka] sofarsoghood commented on pull request #7898: KAFKA-9366: Change log4j dependency into log4j2

sofarsoghood commented on pull request #7898:
URL: https://github.com/apache/kafka/pull/7898#issuecomment-790429327


   > @dongjinleekr really appreciate your guidance here. thanks for the patch.
   > 
   > If I chose to not to move to this patch right away, can you please confirm that this vulnerability in log4j ([CVE-2019-17571](https://github.com/advisories/GHSA-2qrg-x229-3v8q)) doesn't affect Kafka?
   > 
   > thanks
   
   @priyavj08 we now checked Kafka's source code for any appearances of the SocketServer class or corresponding config files but were not able to find any. Furthermore we took a closer look at the listening ports inside the running containers. 
   
   Conclusion: it looks like the affected SocketServer class is not used by Kafka.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org