WG: Log4j 1.2

["Brosy, Franziska" <Fr...@wido.bv.aok.de>]

Hi all,

can you please tell us why Kafka is still using Log4j 1.2? And when it is planned to upgrade the Log4j version??
Do you know this security vulnerability?: https://logging.apache.org/log4j/1.2/

A security vulnerability, CVE-2019-17571<https://www.cvedetails.com/cve/CVE-2019-17571/> has been identified against Log4j 1. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited. Since Log4j 1 is no longer maintained this issue will not be fixed. Users are urged to upgrade to Log4j 2.

Best regards
Franziska

Re: Log4j 1.2

[Men Lim <zu...@gmail.com>]

Thanks Ed.

On Mon, Jan 24, 2022 at 2:21 PM Edward Capriolo <ed...@gmail.com>
wrote:

> In general you can delete log4j1.jar
> Replace with log4jcore_2.17.1.jar
> And log4japi_2.17.1.jar
>
> Ed
>
> On Monday, January 24, 2022, Men Lim <zu...@gmail.com> wrote:
>
> > Is there a write out of the steps that need to be taken?
> >
> > On Mon, Jan 24, 2022 at 10:36 AM Edward Capriolo <ed...@gmail.com>
> > wrote:
> >
> > > Explained in another thread log4j api is separate from implementation.
> > Its
> > > possible to remove log4j 1.2 jars from classpath and upgrade to log4j
> > > 2.17.1 without changing a line of code in kafka.
> > >
> > >
> > > On Monday, January 10, 2022, Tauzell, Dave <
> Dave.Tauzell@surescripts.com
> > >
> > > wrote:
> > >
> > > > Thanks.  Those KIPs show that there is a fair amount of work for
> this.
> > > >
> > > > From: Israel Ekpo <is...@gmail.com>
> > > > Date: Monday, January 10, 2022 at 9:32 AM
> > > > To: users@kafka.apache.org <us...@kafka.apache.org>
> > > > Subject: [EXTERNAL] Re: Log4j 1.2
> > > > There are two KIPs already related to this effort
> > > >
> > > > KIP-653
> > > > https://urldefense.com/v3/__https://cwiki.apache.org/
> > > > confluence/display/KAFKA/KIP-653*3A*Upgrade*log4j*to*
> > > > log4j2__;JSsrKys!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-
> > > > 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQiwF2wVQ$<
> > > https://urldefense.com/v3/__https:/
> > > > cwiki.apache.org/confluence/display/KAFKA/KIP-653*3A*
> > > > Upgrade*log4j*to*log4j2__;JSsrKys!!K_cMf-SQz-o!L-WI4wlYZXr-
> > > > uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQiwF2wVQ$>
> > > >
> > > > KIP-676
> > > > https://urldefense.com/v3/__https://cwiki.apache.org/
> > > > confluence/display/KAFKA/KIP-676*3A*Respect*logging*
> > > > hierarchy__;JSsrKw!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-
> > > > 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQF_CNUlw$<
> > > https://urldefense.com/v3/__https:/
> > > > cwiki.apache.org/confluence/display/KAFKA/KIP-676*3A*
> > > > Respect*logging*hierarchy__;JSsrKw!!K_cMf-SQz-o!L-WI4wlYZXr-
> > > > uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQF_CNUlw$>
> > > >
> > > > I believe the work is in progress, feel free to reach out to the
> > > > contributors if you are able to contribute to the effort by coding,
> > > > reviewing PRs, submitting documentation etc
> > > >
> > > >
> > > > Israel Ekpo
> > > > Lead Instructor, IzzyAcademy.com
> > > > https://urldefense.com/v3/__https://www.youtube.com/c/
> > > > izzyacademy__;!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-
> > > > 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fTVljfFMg$<
> > > https://urldefense.com/v3/__https:/
> > > > www.youtube.com/c/izzyacademy__;!!K_cMf-SQz-o!L-WI4wlYZXr-
> > > > uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fTVljfFMg$>
> > > > https://urldefense.com/v3/__https://izzyacademy.com/__;!!
> > > > K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-
> > > > dphlW1fQ3lp3_fQ$<https://urldefense.com/v3/__https:/
> > > > izzyacademy.com/__;!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-
> > > > 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQ3lp3_fQ$>
> > > >
> > > >
> > > > On Mon, Jan 10, 2022 at 10:12 AM Brosy, Franziska <
> > > > Franziska.Brosy@wido.bv.aok.de> wrote:
> > > >
> > > > > Well. Hopefully there is someone who is able and willingly to do
> that
> > > > > work.
> > > > > I'm so sorry that I can't help.
> > > > >
> > > > > Best regards
> > > > > Franziska
> > > > >
> > > > > -----Ursprüngliche Nachricht-----
> > > > > Von: Tauzell, Dave <Da...@surescripts.com>
> > > > > Gesendet: Montag, 10. Januar 2022 14:30
> > > > > An: users@kafka.apache.org
> > > > > Betreff: Re: Log4j 1.2
> > > > >
> > > > > Log4j 2.x isn't a drop-in replacement for 1.x.   It isn't a
> difficult
> > > > > change but somebody does need to go through all the source code and
> > do
> > > > the
> > > > > work.
> > > > >
> > > > >
> > > > > -Dave
> > > > >
> > > > > From: Brosy, Franziska <Fr...@wido.bv.aok.de>
> > > > > Date: Monday, January 10, 2022 at 3:16 AM
> > > > > To: users@kafka.apache.org <us...@kafka.apache.org>
> > > > > Subject: [EXTERNAL] AW: Log4j 1.2
> > > > > Hi Roger,
> > > > >
> > > > > maybe I wasn't clear enough. I'm not using kafka by myself. I'm
> > > customer
> > > > > of the MicroStrategy Plattform. MicroStrategy uses Kafka. Here is
> the
> > > > > problem. An old Log4j 1.2 is delivered with kafka.
> > > > >
> > > > >
> > > > > https://urldefense.com/v3/__https://www.apache.org/dyn/
> > > >
> closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!
> > > > LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-
> > xYG0aDEMAezzMT0F_bmQ$<
> > > > https://urldefense.com/v3/__https:/www.apache.org/dyn/closer.cgi?
> > > > path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!
> > > > LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-
> > xYG0aDEMAezzMT0F_bmQ$>
> > > > > <
> > > > > https://urldefense.com/v3/__https:/www.apache.org/dyn/
> > > >
> closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!
> > > > LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-
> > xYG0aDEMAezzMT0F_bmQ$
> > > > > >
> > > > > kafka_2.13-3.0.0\libs\log4j-1.2.17.jar
> > > > >
> > > > > Your advice to cve-2021-44228 is outdated. It is solved in Log4j
> > 2.17!
> > > > > So why is kafka delivered with Log4j 1.2 instead of Log4j 2.17??
> > > > >
> > > > > Stick to a very old version is definitely not secure! Yes, you can
> > use
> > > a
> > > > > smartphone with Android 4.2 but you wouldn't expect there is an
> > > emergency
> > > > > to do so - would you?
> > > > >
> > > > > Can you please tell me when kafka will be upgraded to Log4j at
> least
> > > > 2.17?
> > > > > Otherwise can you please tell me what's the reason to stick to such
> > an
> > > > old
> > > > > Log4j version and run into security risks?
> > > > >
> > > > > Best regards
> > > > > Franziska
> > > > >
> > > > >
> > > > > -----Ursprüngliche Nachricht-----
> > > > > Von: Murilo Tavares <mu...@gmail.com>
> > > > > Gesendet: Freitag, 7. Januar 2022 20:23
> > > > > An: users@kafka.apache.org
> > > > > Betreff: Re: Log4j 1.2
> > > > >
> > > > > Also worth mentioning the Kafka community has released this
> official
> > > > > announcement:
> > > > >
> > > > > https://urldefense.com/v3/__https://kafka.apache.org/cve-
> > > > list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN
> > 7rnggwu3lskqPDIWy8R-
> > > > xYG0aDEMAezzNwaYQJzA$<https://urldefense.com/v3/__https:/
> > > > kafka.apache.org/cve-list__;!!K_cMf-SQz-o!
> > LrFhvuhmLy3pfMBGcljRQDNs7bR9WN
> > > > 7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNwaYQJzA$>
> > > > > <
> > > > > https://urldefense.com/v3/__https:/kafka.apache.org/cve-
> > > > list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN
> > 7rnggwu3lskqPDIWy8R-
> > > > xYG0aDEMAezzNwaYQJzA$
> > > > > >
> > > > >
> > > > >
> > > > > On Fri, 7 Jan 2022 at 09:28, Roger Kasinsky <
> > roger.kasinsky@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > Hi Franziska,
> > > > > >
> > > > > > When upgrading to Log4J 2.x.x, take extra care not to upgrade to
> a
> > > > > > 2.x.x version that has a more recent serious security flaw, much
> > > worse
> > > > > > than the one you mentioned. You can read more about it here:
> > > > > >
> > > https://urldefense.com/v3/__https://access.redhat.com/security/cve/cve
> > > > <
> https://urldefense.com/v3/__https:/access.redhat.com/security/cve/cve
> > >
> > > > > >
> > > -2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskq
> > > > > > PDIWy8R-xYG0aDEMAezzM4gV-mDw$<
> > > https://urldefense.com/v3/__https:/acces
> > > > > >
> > > s.redhat.com/security/cve/cve-2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pf
> > > > > > MBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzM4gV-mDw$>
> > > > > >
> > > > > > Thanks!
> > > > > >
> > > > > > -R
> > > > > >
> > > > > >
> > > > > > On Fri, Jan 7, 2022 at 10:26 AM Brosy, Franziska <
> > > > > > Franziska.Brosy@wido.bv.aok.de> wrote:
> > > > > >
> > > > > > > Hi all,
> > > > > > >
> > > > > > > can you please tell us why Kafka is still using Log4j 1.2? And
> > when
> > > > > > > it is planned to upgrade the Log4j version??
> > > > > > > Do you know this security vulnerability?:
> > > > > > >
> > > https://urldefense.com/v3/__https://logging.apache.org/log4j/1.2/__<
> > > > https://urldefense.com/v3/__https:/logging.apache.org/log4j/1.2/__>;
> > > > > > >
> > > !!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0
> > > > > > > aDEMAezzOOQFfqlA$<
> > > https://urldefense.com/v3/__https:/logging.apache.
> > > > > > >
> > > org/log4j/1.2/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu
> > > > > > > 3lskqPDIWy8R-xYG0aDEMAezzOOQFfqlA$>
> > > > > > >
> > > > > > > A security vulnerability, CVE-2019-17571<
> > > > > > >
> > > https://urldefense.com/v3/__https://www.cvedetails.com/cve/CVE-2019-
> > > > <https://urldefense.com/v3/__https:/www.cvedetails.com/cve/CVE-2019-
> >
> > > > > > >
> > > 17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDI
> > > > > > > Wy8R-xYG0aDEMAezzNT4lvIFw$<
> > > https://urldefense.com/v3/__https:/www.cv
> > > > > > >
> > > edetails.com/cve/CVE-2019-17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGclj
> > > > > > > RQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNT4lvIFw$> > has
> been
> > > > > > > identified against Log4j 1. Log4j includes a SocketServer that
> > > > > > > accepts serialized
> > > > > > log
> > > > > > > events and deserializes them without verifying whether the
> > objects
> > > > > > > are allowed or not. This can provide an attack vector that can
> be
> > > > > expoited.
> > > > > > > Since Log4j 1 is no longer maintained this issue will not be
> > fixed.
> > > > > > > Users are urged to upgrade to Log4j 2.
> > > > > > >
> > > > > > > Best regards
> > > > > > > Franziska
> > > > > > >
> > > > > >
> > > > > This e-mail and any files transmitted with it are confidential, may
> > > > > contain sensitive information, and are intended solely for the use
> of
> > > the
> > > > > individual or entity to whom they are addressed. If you have
> received
> > > > this
> > > > > e-mail in error, please notify the sender by reply e-mail
> immediately
> > > and
> > > > > destroy all copies of the e-mail and any attachments.
> > > > >
> > > > This e-mail and any files transmitted with it are confidential, may
> > > > contain sensitive information, and are intended solely for the use of
> > the
> > > > individual or entity to whom they are addressed. If you have received
> > > this
> > > > e-mail in error, please notify the sender by reply e-mail immediately
> > and
> > > > destroy all copies of the e-mail and any attachments.
> > > >
> > >
> > >
> > > --
> > > Sorry this was sent from mobile. Will do less grammar and spell check
> > than
> > > usual.
> > >
> >
>
>
> --
> Sorry this was sent from mobile. Will do less grammar and spell check than
> usual.
>

Re: Log4j 1.2

[Edward Capriolo <ed...@gmail.com>]

In general you can delete log4j1.jar
Replace with log4jcore_2.17.1.jar
And log4japi_2.17.1.jar

Ed

On Monday, January 24, 2022, Men Lim <zu...@gmail.com> wrote:

> Is there a write out of the steps that need to be taken?
>
> On Mon, Jan 24, 2022 at 10:36 AM Edward Capriolo <ed...@gmail.com>
> wrote:
>
> > Explained in another thread log4j api is separate from implementation.
> Its
> > possible to remove log4j 1.2 jars from classpath and upgrade to log4j
> > 2.17.1 without changing a line of code in kafka.
> >
> >
> > On Monday, January 10, 2022, Tauzell, Dave <Dave.Tauzell@surescripts.com
> >
> > wrote:
> >
> > > Thanks.  Those KIPs show that there is a fair amount of work for this.
> > >
> > > From: Israel Ekpo <is...@gmail.com>
> > > Date: Monday, January 10, 2022 at 9:32 AM
> > > To: users@kafka.apache.org <us...@kafka.apache.org>
> > > Subject: [EXTERNAL] Re: Log4j 1.2
> > > There are two KIPs already related to this effort
> > >
> > > KIP-653
> > > https://urldefense.com/v3/__https://cwiki.apache.org/
> > > confluence/display/KAFKA/KIP-653*3A*Upgrade*log4j*to*
> > > log4j2__;JSsrKys!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-
> > > 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQiwF2wVQ$<
> > https://urldefense.com/v3/__https:/
> > > cwiki.apache.org/confluence/display/KAFKA/KIP-653*3A*
> > > Upgrade*log4j*to*log4j2__;JSsrKys!!K_cMf-SQz-o!L-WI4wlYZXr-
> > > uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQiwF2wVQ$>
> > >
> > > KIP-676
> > > https://urldefense.com/v3/__https://cwiki.apache.org/
> > > confluence/display/KAFKA/KIP-676*3A*Respect*logging*
> > > hierarchy__;JSsrKw!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-
> > > 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQF_CNUlw$<
> > https://urldefense.com/v3/__https:/
> > > cwiki.apache.org/confluence/display/KAFKA/KIP-676*3A*
> > > Respect*logging*hierarchy__;JSsrKw!!K_cMf-SQz-o!L-WI4wlYZXr-
> > > uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQF_CNUlw$>
> > >
> > > I believe the work is in progress, feel free to reach out to the
> > > contributors if you are able to contribute to the effort by coding,
> > > reviewing PRs, submitting documentation etc
> > >
> > >
> > > Israel Ekpo
> > > Lead Instructor, IzzyAcademy.com
> > > https://urldefense.com/v3/__https://www.youtube.com/c/
> > > izzyacademy__;!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-
> > > 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fTVljfFMg$<
> > https://urldefense.com/v3/__https:/
> > > www.youtube.com/c/izzyacademy__;!!K_cMf-SQz-o!L-WI4wlYZXr-
> > > uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fTVljfFMg$>
> > > https://urldefense.com/v3/__https://izzyacademy.com/__;!!
> > > K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-
> > > dphlW1fQ3lp3_fQ$<https://urldefense.com/v3/__https:/
> > > izzyacademy.com/__;!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-
> > > 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQ3lp3_fQ$>
> > >
> > >
> > > On Mon, Jan 10, 2022 at 10:12 AM Brosy, Franziska <
> > > Franziska.Brosy@wido.bv.aok.de> wrote:
> > >
> > > > Well. Hopefully there is someone who is able and willingly to do that
> > > > work.
> > > > I'm so sorry that I can't help.
> > > >
> > > > Best regards
> > > > Franziska
> > > >
> > > > -----Ursprüngliche Nachricht-----
> > > > Von: Tauzell, Dave <Da...@surescripts.com>
> > > > Gesendet: Montag, 10. Januar 2022 14:30
> > > > An: users@kafka.apache.org
> > > > Betreff: Re: Log4j 1.2
> > > >
> > > > Log4j 2.x isn't a drop-in replacement for 1.x.   It isn't a difficult
> > > > change but somebody does need to go through all the source code and
> do
> > > the
> > > > work.
> > > >
> > > >
> > > > -Dave
> > > >
> > > > From: Brosy, Franziska <Fr...@wido.bv.aok.de>
> > > > Date: Monday, January 10, 2022 at 3:16 AM
> > > > To: users@kafka.apache.org <us...@kafka.apache.org>
> > > > Subject: [EXTERNAL] AW: Log4j 1.2
> > > > Hi Roger,
> > > >
> > > > maybe I wasn't clear enough. I'm not using kafka by myself. I'm
> > customer
> > > > of the MicroStrategy Plattform. MicroStrategy uses Kafka. Here is the
> > > > problem. An old Log4j 1.2 is delivered with kafka.
> > > >
> > > >
> > > > https://urldefense.com/v3/__https://www.apache.org/dyn/
> > > closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!
> > > LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-
> xYG0aDEMAezzMT0F_bmQ$<
> > > https://urldefense.com/v3/__https:/www.apache.org/dyn/closer.cgi?
> > > path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!
> > > LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-
> xYG0aDEMAezzMT0F_bmQ$>
> > > > <
> > > > https://urldefense.com/v3/__https:/www.apache.org/dyn/
> > > closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!
> > > LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-
> xYG0aDEMAezzMT0F_bmQ$
> > > > >
> > > > kafka_2.13-3.0.0\libs\log4j-1.2.17.jar
> > > >
> > > > Your advice to cve-2021-44228 is outdated. It is solved in Log4j
> 2.17!
> > > > So why is kafka delivered with Log4j 1.2 instead of Log4j 2.17??
> > > >
> > > > Stick to a very old version is definitely not secure! Yes, you can
> use
> > a
> > > > smartphone with Android 4.2 but you wouldn't expect there is an
> > emergency
> > > > to do so - would you?
> > > >
> > > > Can you please tell me when kafka will be upgraded to Log4j at least
> > > 2.17?
> > > > Otherwise can you please tell me what's the reason to stick to such
> an
> > > old
> > > > Log4j version and run into security risks?
> > > >
> > > > Best regards
> > > > Franziska
> > > >
> > > >
> > > > -----Ursprüngliche Nachricht-----
> > > > Von: Murilo Tavares <mu...@gmail.com>
> > > > Gesendet: Freitag, 7. Januar 2022 20:23
> > > > An: users@kafka.apache.org
> > > > Betreff: Re: Log4j 1.2
> > > >
> > > > Also worth mentioning the Kafka community has released this official
> > > > announcement:
> > > >
> > > > https://urldefense.com/v3/__https://kafka.apache.org/cve-
> > > list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN
> 7rnggwu3lskqPDIWy8R-
> > > xYG0aDEMAezzNwaYQJzA$<https://urldefense.com/v3/__https:/
> > > kafka.apache.org/cve-list__;!!K_cMf-SQz-o!
> LrFhvuhmLy3pfMBGcljRQDNs7bR9WN
> > > 7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNwaYQJzA$>
> > > > <
> > > > https://urldefense.com/v3/__https:/kafka.apache.org/cve-
> > > list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN
> 7rnggwu3lskqPDIWy8R-
> > > xYG0aDEMAezzNwaYQJzA$
> > > > >
> > > >
> > > >
> > > > On Fri, 7 Jan 2022 at 09:28, Roger Kasinsky <
> roger.kasinsky@gmail.com>
> > > > wrote:
> > > >
> > > > > Hi Franziska,
> > > > >
> > > > > When upgrading to Log4J 2.x.x, take extra care not to upgrade to a
> > > > > 2.x.x version that has a more recent serious security flaw, much
> > worse
> > > > > than the one you mentioned. You can read more about it here:
> > > > >
> > https://urldefense.com/v3/__https://access.redhat.com/security/cve/cve
> > > <https://urldefense.com/v3/__https:/access.redhat.com/security/cve/cve
> >
> > > > >
> > -2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskq
> > > > > PDIWy8R-xYG0aDEMAezzM4gV-mDw$<
> > https://urldefense.com/v3/__https:/acces
> > > > >
> > s.redhat.com/security/cve/cve-2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pf
> > > > > MBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzM4gV-mDw$>
> > > > >
> > > > > Thanks!
> > > > >
> > > > > -R
> > > > >
> > > > >
> > > > > On Fri, Jan 7, 2022 at 10:26 AM Brosy, Franziska <
> > > > > Franziska.Brosy@wido.bv.aok.de> wrote:
> > > > >
> > > > > > Hi all,
> > > > > >
> > > > > > can you please tell us why Kafka is still using Log4j 1.2? And
> when
> > > > > > it is planned to upgrade the Log4j version??
> > > > > > Do you know this security vulnerability?:
> > > > > >
> > https://urldefense.com/v3/__https://logging.apache.org/log4j/1.2/__<
> > > https://urldefense.com/v3/__https:/logging.apache.org/log4j/1.2/__>;
> > > > > >
> > !!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0
> > > > > > aDEMAezzOOQFfqlA$<
> > https://urldefense.com/v3/__https:/logging.apache.
> > > > > >
> > org/log4j/1.2/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu
> > > > > > 3lskqPDIWy8R-xYG0aDEMAezzOOQFfqlA$>
> > > > > >
> > > > > > A security vulnerability, CVE-2019-17571<
> > > > > >
> > https://urldefense.com/v3/__https://www.cvedetails.com/cve/CVE-2019-
> > > <https://urldefense.com/v3/__https:/www.cvedetails.com/cve/CVE-2019->
> > > > > >
> > 17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDI
> > > > > > Wy8R-xYG0aDEMAezzNT4lvIFw$<
> > https://urldefense.com/v3/__https:/www.cv
> > > > > >
> > edetails.com/cve/CVE-2019-17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGclj
> > > > > > RQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNT4lvIFw$> > has been
> > > > > > identified against Log4j 1. Log4j includes a SocketServer that
> > > > > > accepts serialized
> > > > > log
> > > > > > events and deserializes them without verifying whether the
> objects
> > > > > > are allowed or not. This can provide an attack vector that can be
> > > > expoited.
> > > > > > Since Log4j 1 is no longer maintained this issue will not be
> fixed.
> > > > > > Users are urged to upgrade to Log4j 2.
> > > > > >
> > > > > > Best regards
> > > > > > Franziska
> > > > > >
> > > > >
> > > > This e-mail and any files transmitted with it are confidential, may
> > > > contain sensitive information, and are intended solely for the use of
> > the
> > > > individual or entity to whom they are addressed. If you have received
> > > this
> > > > e-mail in error, please notify the sender by reply e-mail immediately
> > and
> > > > destroy all copies of the e-mail and any attachments.
> > > >
> > > This e-mail and any files transmitted with it are confidential, may
> > > contain sensitive information, and are intended solely for the use of
> the
> > > individual or entity to whom they are addressed. If you have received
> > this
> > > e-mail in error, please notify the sender by reply e-mail immediately
> and
> > > destroy all copies of the e-mail and any attachments.
> > >
> >
> >
> > --
> > Sorry this was sent from mobile. Will do less grammar and spell check
> than
> > usual.
> >
>


-- 
Sorry this was sent from mobile. Will do less grammar and spell check than
usual.

Re: Log4j 1.2

[Men Lim <zu...@gmail.com>]

Is there a write out of the steps that need to be taken?

On Mon, Jan 24, 2022 at 10:36 AM Edward Capriolo <ed...@gmail.com>
wrote:

> Explained in another thread log4j api is separate from implementation. Its
> possible to remove log4j 1.2 jars from classpath and upgrade to log4j
> 2.17.1 without changing a line of code in kafka.
>
>
> On Monday, January 10, 2022, Tauzell, Dave <Da...@surescripts.com>
> wrote:
>
> > Thanks.  Those KIPs show that there is a fair amount of work for this.
> >
> > From: Israel Ekpo <is...@gmail.com>
> > Date: Monday, January 10, 2022 at 9:32 AM
> > To: users@kafka.apache.org <us...@kafka.apache.org>
> > Subject: [EXTERNAL] Re: Log4j 1.2
> > There are two KIPs already related to this effort
> >
> > KIP-653
> > https://urldefense.com/v3/__https://cwiki.apache.org/
> > confluence/display/KAFKA/KIP-653*3A*Upgrade*log4j*to*
> > log4j2__;JSsrKys!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-
> > 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQiwF2wVQ$<
> https://urldefense.com/v3/__https:/
> > cwiki.apache.org/confluence/display/KAFKA/KIP-653*3A*
> > Upgrade*log4j*to*log4j2__;JSsrKys!!K_cMf-SQz-o!L-WI4wlYZXr-
> > uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQiwF2wVQ$>
> >
> > KIP-676
> > https://urldefense.com/v3/__https://cwiki.apache.org/
> > confluence/display/KAFKA/KIP-676*3A*Respect*logging*
> > hierarchy__;JSsrKw!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-
> > 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQF_CNUlw$<
> https://urldefense.com/v3/__https:/
> > cwiki.apache.org/confluence/display/KAFKA/KIP-676*3A*
> > Respect*logging*hierarchy__;JSsrKw!!K_cMf-SQz-o!L-WI4wlYZXr-
> > uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQF_CNUlw$>
> >
> > I believe the work is in progress, feel free to reach out to the
> > contributors if you are able to contribute to the effort by coding,
> > reviewing PRs, submitting documentation etc
> >
> >
> > Israel Ekpo
> > Lead Instructor, IzzyAcademy.com
> > https://urldefense.com/v3/__https://www.youtube.com/c/
> > izzyacademy__;!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-
> > 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fTVljfFMg$<
> https://urldefense.com/v3/__https:/
> > www.youtube.com/c/izzyacademy__;!!K_cMf-SQz-o!L-WI4wlYZXr-
> > uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fTVljfFMg$>
> > https://urldefense.com/v3/__https://izzyacademy.com/__;!!
> > K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-
> > dphlW1fQ3lp3_fQ$<https://urldefense.com/v3/__https:/
> > izzyacademy.com/__;!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-
> > 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQ3lp3_fQ$>
> >
> >
> > On Mon, Jan 10, 2022 at 10:12 AM Brosy, Franziska <
> > Franziska.Brosy@wido.bv.aok.de> wrote:
> >
> > > Well. Hopefully there is someone who is able and willingly to do that
> > > work.
> > > I'm so sorry that I can't help.
> > >
> > > Best regards
> > > Franziska
> > >
> > > -----Ursprüngliche Nachricht-----
> > > Von: Tauzell, Dave <Da...@surescripts.com>
> > > Gesendet: Montag, 10. Januar 2022 14:30
> > > An: users@kafka.apache.org
> > > Betreff: Re: Log4j 1.2
> > >
> > > Log4j 2.x isn't a drop-in replacement for 1.x.   It isn't a difficult
> > > change but somebody does need to go through all the source code and do
> > the
> > > work.
> > >
> > >
> > > -Dave
> > >
> > > From: Brosy, Franziska <Fr...@wido.bv.aok.de>
> > > Date: Monday, January 10, 2022 at 3:16 AM
> > > To: users@kafka.apache.org <us...@kafka.apache.org>
> > > Subject: [EXTERNAL] AW: Log4j 1.2
> > > Hi Roger,
> > >
> > > maybe I wasn't clear enough. I'm not using kafka by myself. I'm
> customer
> > > of the MicroStrategy Plattform. MicroStrategy uses Kafka. Here is the
> > > problem. An old Log4j 1.2 is delivered with kafka.
> > >
> > >
> > > https://urldefense.com/v3/__https://www.apache.org/dyn/
> > closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!
> > LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$<
> > https://urldefense.com/v3/__https:/www.apache.org/dyn/closer.cgi?
> > path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!
> > LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$>
> > > <
> > > https://urldefense.com/v3/__https:/www.apache.org/dyn/
> > closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!
> > LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$
> > > >
> > > kafka_2.13-3.0.0\libs\log4j-1.2.17.jar
> > >
> > > Your advice to cve-2021-44228 is outdated. It is solved in Log4j 2.17!
> > > So why is kafka delivered with Log4j 1.2 instead of Log4j 2.17??
> > >
> > > Stick to a very old version is definitely not secure! Yes, you can use
> a
> > > smartphone with Android 4.2 but you wouldn't expect there is an
> emergency
> > > to do so - would you?
> > >
> > > Can you please tell me when kafka will be upgraded to Log4j at least
> > 2.17?
> > > Otherwise can you please tell me what's the reason to stick to such an
> > old
> > > Log4j version and run into security risks?
> > >
> > > Best regards
> > > Franziska
> > >
> > >
> > > -----Ursprüngliche Nachricht-----
> > > Von: Murilo Tavares <mu...@gmail.com>
> > > Gesendet: Freitag, 7. Januar 2022 20:23
> > > An: users@kafka.apache.org
> > > Betreff: Re: Log4j 1.2
> > >
> > > Also worth mentioning the Kafka community has released this official
> > > announcement:
> > >
> > > https://urldefense.com/v3/__https://kafka.apache.org/cve-
> > list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-
> > xYG0aDEMAezzNwaYQJzA$<https://urldefense.com/v3/__https:/
> > kafka.apache.org/cve-list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN
> > 7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNwaYQJzA$>
> > > <
> > > https://urldefense.com/v3/__https:/kafka.apache.org/cve-
> > list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-
> > xYG0aDEMAezzNwaYQJzA$
> > > >
> > >
> > >
> > > On Fri, 7 Jan 2022 at 09:28, Roger Kasinsky <ro...@gmail.com>
> > > wrote:
> > >
> > > > Hi Franziska,
> > > >
> > > > When upgrading to Log4J 2.x.x, take extra care not to upgrade to a
> > > > 2.x.x version that has a more recent serious security flaw, much
> worse
> > > > than the one you mentioned. You can read more about it here:
> > > >
> https://urldefense.com/v3/__https://access.redhat.com/security/cve/cve
> > <https://urldefense.com/v3/__https:/access.redhat.com/security/cve/cve>
> > > >
> -2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskq
> > > > PDIWy8R-xYG0aDEMAezzM4gV-mDw$<
> https://urldefense.com/v3/__https:/acces
> > > >
> s.redhat.com/security/cve/cve-2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pf
> > > > MBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzM4gV-mDw$>
> > > >
> > > > Thanks!
> > > >
> > > > -R
> > > >
> > > >
> > > > On Fri, Jan 7, 2022 at 10:26 AM Brosy, Franziska <
> > > > Franziska.Brosy@wido.bv.aok.de> wrote:
> > > >
> > > > > Hi all,
> > > > >
> > > > > can you please tell us why Kafka is still using Log4j 1.2? And when
> > > > > it is planned to upgrade the Log4j version??
> > > > > Do you know this security vulnerability?:
> > > > >
> https://urldefense.com/v3/__https://logging.apache.org/log4j/1.2/__<
> > https://urldefense.com/v3/__https:/logging.apache.org/log4j/1.2/__>;
> > > > >
> !!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0
> > > > > aDEMAezzOOQFfqlA$<
> https://urldefense.com/v3/__https:/logging.apache.
> > > > >
> org/log4j/1.2/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu
> > > > > 3lskqPDIWy8R-xYG0aDEMAezzOOQFfqlA$>
> > > > >
> > > > > A security vulnerability, CVE-2019-17571<
> > > > >
> https://urldefense.com/v3/__https://www.cvedetails.com/cve/CVE-2019-
> > <https://urldefense.com/v3/__https:/www.cvedetails.com/cve/CVE-2019->
> > > > >
> 17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDI
> > > > > Wy8R-xYG0aDEMAezzNT4lvIFw$<
> https://urldefense.com/v3/__https:/www.cv
> > > > >
> edetails.com/cve/CVE-2019-17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGclj
> > > > > RQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNT4lvIFw$> > has been
> > > > > identified against Log4j 1. Log4j includes a SocketServer that
> > > > > accepts serialized
> > > > log
> > > > > events and deserializes them without verifying whether the objects
> > > > > are allowed or not. This can provide an attack vector that can be
> > > expoited.
> > > > > Since Log4j 1 is no longer maintained this issue will not be fixed.
> > > > > Users are urged to upgrade to Log4j 2.
> > > > >
> > > > > Best regards
> > > > > Franziska
> > > > >
> > > >
> > > This e-mail and any files transmitted with it are confidential, may
> > > contain sensitive information, and are intended solely for the use of
> the
> > > individual or entity to whom they are addressed. If you have received
> > this
> > > e-mail in error, please notify the sender by reply e-mail immediately
> and
> > > destroy all copies of the e-mail and any attachments.
> > >
> > This e-mail and any files transmitted with it are confidential, may
> > contain sensitive information, and are intended solely for the use of the
> > individual or entity to whom they are addressed. If you have received
> this
> > e-mail in error, please notify the sender by reply e-mail immediately and
> > destroy all copies of the e-mail and any attachments.
> >
>
>
> --
> Sorry this was sent from mobile. Will do less grammar and spell check than
> usual.
>

Re: Log4j 1.2

[Edward Capriolo <ed...@gmail.com>]

Explained in another thread log4j api is separate from implementation. Its
possible to remove log4j 1.2 jars from classpath and upgrade to log4j
2.17.1 without changing a line of code in kafka.


On Monday, January 10, 2022, Tauzell, Dave <Da...@surescripts.com>
wrote:

> Thanks.  Those KIPs show that there is a fair amount of work for this.
>
> From: Israel Ekpo <is...@gmail.com>
> Date: Monday, January 10, 2022 at 9:32 AM
> To: users@kafka.apache.org <us...@kafka.apache.org>
> Subject: [EXTERNAL] Re: Log4j 1.2
> There are two KIPs already related to this effort
>
> KIP-653
> https://urldefense.com/v3/__https://cwiki.apache.org/
> confluence/display/KAFKA/KIP-653*3A*Upgrade*log4j*to*
> log4j2__;JSsrKys!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-
> 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQiwF2wVQ$<https://urldefense.com/v3/__https:/
> cwiki.apache.org/confluence/display/KAFKA/KIP-653*3A*
> Upgrade*log4j*to*log4j2__;JSsrKys!!K_cMf-SQz-o!L-WI4wlYZXr-
> uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQiwF2wVQ$>
>
> KIP-676
> https://urldefense.com/v3/__https://cwiki.apache.org/
> confluence/display/KAFKA/KIP-676*3A*Respect*logging*
> hierarchy__;JSsrKw!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-
> 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQF_CNUlw$<https://urldefense.com/v3/__https:/
> cwiki.apache.org/confluence/display/KAFKA/KIP-676*3A*
> Respect*logging*hierarchy__;JSsrKw!!K_cMf-SQz-o!L-WI4wlYZXr-
> uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQF_CNUlw$>
>
> I believe the work is in progress, feel free to reach out to the
> contributors if you are able to contribute to the effort by coding,
> reviewing PRs, submitting documentation etc
>
>
> Israel Ekpo
> Lead Instructor, IzzyAcademy.com
> https://urldefense.com/v3/__https://www.youtube.com/c/
> izzyacademy__;!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-
> 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fTVljfFMg$<https://urldefense.com/v3/__https:/
> www.youtube.com/c/izzyacademy__;!!K_cMf-SQz-o!L-WI4wlYZXr-
> uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fTVljfFMg$>
> https://urldefense.com/v3/__https://izzyacademy.com/__;!!
> K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-
> dphlW1fQ3lp3_fQ$<https://urldefense.com/v3/__https:/
> izzyacademy.com/__;!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-
> 8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQ3lp3_fQ$>
>
>
> On Mon, Jan 10, 2022 at 10:12 AM Brosy, Franziska <
> Franziska.Brosy@wido.bv.aok.de> wrote:
>
> > Well. Hopefully there is someone who is able and willingly to do that
> > work.
> > I'm so sorry that I can't help.
> >
> > Best regards
> > Franziska
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Tauzell, Dave <Da...@surescripts.com>
> > Gesendet: Montag, 10. Januar 2022 14:30
> > An: users@kafka.apache.org
> > Betreff: Re: Log4j 1.2
> >
> > Log4j 2.x isn't a drop-in replacement for 1.x.   It isn't a difficult
> > change but somebody does need to go through all the source code and do
> the
> > work.
> >
> >
> > -Dave
> >
> > From: Brosy, Franziska <Fr...@wido.bv.aok.de>
> > Date: Monday, January 10, 2022 at 3:16 AM
> > To: users@kafka.apache.org <us...@kafka.apache.org>
> > Subject: [EXTERNAL] AW: Log4j 1.2
> > Hi Roger,
> >
> > maybe I wasn't clear enough. I'm not using kafka by myself. I'm customer
> > of the MicroStrategy Plattform. MicroStrategy uses Kafka. Here is the
> > problem. An old Log4j 1.2 is delivered with kafka.
> >
> >
> > https://urldefense.com/v3/__https://www.apache.org/dyn/
> closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!
> LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$<
> https://urldefense.com/v3/__https:/www.apache.org/dyn/closer.cgi?
> path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!
> LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$>
> > <
> > https://urldefense.com/v3/__https:/www.apache.org/dyn/
> closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!
> LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$
> > >
> > kafka_2.13-3.0.0\libs\log4j-1.2.17.jar
> >
> > Your advice to cve-2021-44228 is outdated. It is solved in Log4j 2.17!
> > So why is kafka delivered with Log4j 1.2 instead of Log4j 2.17??
> >
> > Stick to a very old version is definitely not secure! Yes, you can use a
> > smartphone with Android 4.2 but you wouldn't expect there is an emergency
> > to do so - would you?
> >
> > Can you please tell me when kafka will be upgraded to Log4j at least
> 2.17?
> > Otherwise can you please tell me what's the reason to stick to such an
> old
> > Log4j version and run into security risks?
> >
> > Best regards
> > Franziska
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Murilo Tavares <mu...@gmail.com>
> > Gesendet: Freitag, 7. Januar 2022 20:23
> > An: users@kafka.apache.org
> > Betreff: Re: Log4j 1.2
> >
> > Also worth mentioning the Kafka community has released this official
> > announcement:
> >
> > https://urldefense.com/v3/__https://kafka.apache.org/cve-
> list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-
> xYG0aDEMAezzNwaYQJzA$<https://urldefense.com/v3/__https:/
> kafka.apache.org/cve-list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN
> 7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNwaYQJzA$>
> > <
> > https://urldefense.com/v3/__https:/kafka.apache.org/cve-
> list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-
> xYG0aDEMAezzNwaYQJzA$
> > >
> >
> >
> > On Fri, 7 Jan 2022 at 09:28, Roger Kasinsky <ro...@gmail.com>
> > wrote:
> >
> > > Hi Franziska,
> > >
> > > When upgrading to Log4J 2.x.x, take extra care not to upgrade to a
> > > 2.x.x version that has a more recent serious security flaw, much worse
> > > than the one you mentioned. You can read more about it here:
> > > https://urldefense.com/v3/__https://access.redhat.com/security/cve/cve
> <https://urldefense.com/v3/__https:/access.redhat.com/security/cve/cve>
> > > -2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskq
> > > PDIWy8R-xYG0aDEMAezzM4gV-mDw$<https://urldefense.com/v3/__https:/acces
> > > s.redhat.com/security/cve/cve-2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pf
> > > MBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzM4gV-mDw$>
> > >
> > > Thanks!
> > >
> > > -R
> > >
> > >
> > > On Fri, Jan 7, 2022 at 10:26 AM Brosy, Franziska <
> > > Franziska.Brosy@wido.bv.aok.de> wrote:
> > >
> > > > Hi all,
> > > >
> > > > can you please tell us why Kafka is still using Log4j 1.2? And when
> > > > it is planned to upgrade the Log4j version??
> > > > Do you know this security vulnerability?:
> > > > https://urldefense.com/v3/__https://logging.apache.org/log4j/1.2/__<
> https://urldefense.com/v3/__https:/logging.apache.org/log4j/1.2/__>;
> > > > !!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0
> > > > aDEMAezzOOQFfqlA$<https://urldefense.com/v3/__https:/logging.apache.
> > > > org/log4j/1.2/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu
> > > > 3lskqPDIWy8R-xYG0aDEMAezzOOQFfqlA$>
> > > >
> > > > A security vulnerability, CVE-2019-17571<
> > > > https://urldefense.com/v3/__https://www.cvedetails.com/cve/CVE-2019-
> <https://urldefense.com/v3/__https:/www.cvedetails.com/cve/CVE-2019->
> > > > 17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDI
> > > > Wy8R-xYG0aDEMAezzNT4lvIFw$<https://urldefense.com/v3/__https:/www.cv
> > > > edetails.com/cve/CVE-2019-17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGclj
> > > > RQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNT4lvIFw$> > has been
> > > > identified against Log4j 1. Log4j includes a SocketServer that
> > > > accepts serialized
> > > log
> > > > events and deserializes them without verifying whether the objects
> > > > are allowed or not. This can provide an attack vector that can be
> > expoited.
> > > > Since Log4j 1 is no longer maintained this issue will not be fixed.
> > > > Users are urged to upgrade to Log4j 2.
> > > >
> > > > Best regards
> > > > Franziska
> > > >
> > >
> > This e-mail and any files transmitted with it are confidential, may
> > contain sensitive information, and are intended solely for the use of the
> > individual or entity to whom they are addressed. If you have received
> this
> > e-mail in error, please notify the sender by reply e-mail immediately and
> > destroy all copies of the e-mail and any attachments.
> >
> This e-mail and any files transmitted with it are confidential, may
> contain sensitive information, and are intended solely for the use of the
> individual or entity to whom they are addressed. If you have received this
> e-mail in error, please notify the sender by reply e-mail immediately and
> destroy all copies of the e-mail and any attachments.
>


-- 
Sorry this was sent from mobile. Will do less grammar and spell check than
usual.

Re: [EXTERNAL] Re: Log4j 1.2

["Tauzell, Dave" <Da...@surescripts.com>]

Thanks.  Those KIPs show that there is a fair amount of work for this.

From: Israel Ekpo <is...@gmail.com>
Date: Monday, January 10, 2022 at 9:32 AM
To: users@kafka.apache.org <us...@kafka.apache.org>
Subject: [EXTERNAL] Re: Log4j 1.2
There are two KIPs already related to this effort

KIP-653
https://urldefense.com/v3/__https://cwiki.apache.org/confluence/display/KAFKA/KIP-653*3A*Upgrade*log4j*to*log4j2__;JSsrKys!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQiwF2wVQ$<https://urldefense.com/v3/__https:/cwiki.apache.org/confluence/display/KAFKA/KIP-653*3A*Upgrade*log4j*to*log4j2__;JSsrKys!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQiwF2wVQ$>

KIP-676
https://urldefense.com/v3/__https://cwiki.apache.org/confluence/display/KAFKA/KIP-676*3A*Respect*logging*hierarchy__;JSsrKw!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQF_CNUlw$<https://urldefense.com/v3/__https:/cwiki.apache.org/confluence/display/KAFKA/KIP-676*3A*Respect*logging*hierarchy__;JSsrKw!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQF_CNUlw$>

I believe the work is in progress, feel free to reach out to the
contributors if you are able to contribute to the effort by coding,
reviewing PRs, submitting documentation etc


Israel Ekpo
Lead Instructor, IzzyAcademy.com
https://urldefense.com/v3/__https://www.youtube.com/c/izzyacademy__;!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fTVljfFMg$<https://urldefense.com/v3/__https:/www.youtube.com/c/izzyacademy__;!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fTVljfFMg$>
https://urldefense.com/v3/__https://izzyacademy.com/__;!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQ3lp3_fQ$<https://urldefense.com/v3/__https:/izzyacademy.com/__;!!K_cMf-SQz-o!L-WI4wlYZXr-uPSEVkCzLZonJXmNKveV-8HJxhQCFXxP5ZBkw7oE0I-dphlW1fQ3lp3_fQ$>


On Mon, Jan 10, 2022 at 10:12 AM Brosy, Franziska <
Franziska.Brosy@wido.bv.aok.de> wrote:

> Well. Hopefully there is someone who is able and willingly to do that
> work.
> I'm so sorry that I can't help.
>
> Best regards
> Franziska
>
> -----Ursprüngliche Nachricht-----
> Von: Tauzell, Dave <Da...@surescripts.com>
> Gesendet: Montag, 10. Januar 2022 14:30
> An: users@kafka.apache.org
> Betreff: Re: Log4j 1.2
>
> Log4j 2.x isn't a drop-in replacement for 1.x.   It isn't a difficult
> change but somebody does need to go through all the source code and do the
> work.
>
>
> -Dave
>
> From: Brosy, Franziska <Fr...@wido.bv.aok.de>
> Date: Monday, January 10, 2022 at 3:16 AM
> To: users@kafka.apache.org <us...@kafka.apache.org>
> Subject: [EXTERNAL] AW: Log4j 1.2
> Hi Roger,
>
> maybe I wasn't clear enough. I'm not using kafka by myself. I'm customer
> of the MicroStrategy Plattform. MicroStrategy uses Kafka. Here is the
> problem. An old Log4j 1.2 is delivered with kafka.
>
>
> https://urldefense.com/v3/__https://www.apache.org/dyn/closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$<https://urldefense.com/v3/__https:/www.apache.org/dyn/closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$>
> <
> https://urldefense.com/v3/__https:/www.apache.org/dyn/closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$
> >
> kafka_2.13-3.0.0\libs\log4j-1.2.17.jar
>
> Your advice to cve-2021-44228 is outdated. It is solved in Log4j 2.17!
> So why is kafka delivered with Log4j 1.2 instead of Log4j 2.17??
>
> Stick to a very old version is definitely not secure! Yes, you can use a
> smartphone with Android 4.2 but you wouldn't expect there is an emergency
> to do so - would you?
>
> Can you please tell me when kafka will be upgraded to Log4j at least 2.17?
> Otherwise can you please tell me what's the reason to stick to such an old
> Log4j version and run into security risks?
>
> Best regards
> Franziska
>
>
> -----Ursprüngliche Nachricht-----
> Von: Murilo Tavares <mu...@gmail.com>
> Gesendet: Freitag, 7. Januar 2022 20:23
> An: users@kafka.apache.org
> Betreff: Re: Log4j 1.2
>
> Also worth mentioning the Kafka community has released this official
> announcement:
>
> https://urldefense.com/v3/__https://kafka.apache.org/cve-list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNwaYQJzA$<https://urldefense.com/v3/__https:/kafka.apache.org/cve-list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNwaYQJzA$>
> <
> https://urldefense.com/v3/__https:/kafka.apache.org/cve-list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNwaYQJzA$
> >
>
>
> On Fri, 7 Jan 2022 at 09:28, Roger Kasinsky <ro...@gmail.com>
> wrote:
>
> > Hi Franziska,
> >
> > When upgrading to Log4J 2.x.x, take extra care not to upgrade to a
> > 2.x.x version that has a more recent serious security flaw, much worse
> > than the one you mentioned. You can read more about it here:
> > https://urldefense.com/v3/__https://access.redhat.com/security/cve/cve<https://urldefense.com/v3/__https:/access.redhat.com/security/cve/cve>
> > -2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskq
> > PDIWy8R-xYG0aDEMAezzM4gV-mDw$<https://urldefense.com/v3/__https:/acces
> > s.redhat.com/security/cve/cve-2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pf
> > MBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzM4gV-mDw$>
> >
> > Thanks!
> >
> > -R
> >
> >
> > On Fri, Jan 7, 2022 at 10:26 AM Brosy, Franziska <
> > Franziska.Brosy@wido.bv.aok.de> wrote:
> >
> > > Hi all,
> > >
> > > can you please tell us why Kafka is still using Log4j 1.2? And when
> > > it is planned to upgrade the Log4j version??
> > > Do you know this security vulnerability?:
> > > https://urldefense.com/v3/__https://logging.apache.org/log4j/1.2/__<https://urldefense.com/v3/__https:/logging.apache.org/log4j/1.2/__>;
> > > !!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0
> > > aDEMAezzOOQFfqlA$<https://urldefense.com/v3/__https:/logging.apache.
> > > org/log4j/1.2/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu
> > > 3lskqPDIWy8R-xYG0aDEMAezzOOQFfqlA$>
> > >
> > > A security vulnerability, CVE-2019-17571<
> > > https://urldefense.com/v3/__https://www.cvedetails.com/cve/CVE-2019-<https://urldefense.com/v3/__https:/www.cvedetails.com/cve/CVE-2019->
> > > 17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDI
> > > Wy8R-xYG0aDEMAezzNT4lvIFw$<https://urldefense.com/v3/__https:/www.cv
> > > edetails.com/cve/CVE-2019-17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGclj
> > > RQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNT4lvIFw$> > has been
> > > identified against Log4j 1. Log4j includes a SocketServer that
> > > accepts serialized
> > log
> > > events and deserializes them without verifying whether the objects
> > > are allowed or not. This can provide an attack vector that can be
> expoited.
> > > Since Log4j 1 is no longer maintained this issue will not be fixed.
> > > Users are urged to upgrade to Log4j 2.
> > >
> > > Best regards
> > > Franziska
> > >
> >
> This e-mail and any files transmitted with it are confidential, may
> contain sensitive information, and are intended solely for the use of the
> individual or entity to whom they are addressed. If you have received this
> e-mail in error, please notify the sender by reply e-mail immediately and
> destroy all copies of the e-mail and any attachments.
>
This e-mail and any files transmitted with it are confidential, may contain sensitive information, and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error, please notify the sender by reply e-mail immediately and destroy all copies of the e-mail and any attachments.

Re: Log4j 1.2

[Israel Ekpo <is...@gmail.com>]

There are two KIPs already related to this effort

KIP-653
https://cwiki.apache.org/confluence/display/KAFKA/KIP-653%3A+Upgrade+log4j+to+log4j2

KIP-676
https://cwiki.apache.org/confluence/display/KAFKA/KIP-676%3A+Respect+logging+hierarchy

I believe the work is in progress, feel free to reach out to the
contributors if you are able to contribute to the effort by coding,
reviewing PRs, submitting documentation etc


Israel Ekpo
Lead Instructor, IzzyAcademy.com
https://www.youtube.com/c/izzyacademy
https://izzyacademy.com/


On Mon, Jan 10, 2022 at 10:12 AM Brosy, Franziska <
Franziska.Brosy@wido.bv.aok.de> wrote:

> Well. Hopefully there is someone who is able and willingly to do that
> work.
> I'm so sorry that I can't help.
>
> Best regards
> Franziska
>
> -----Ursprüngliche Nachricht-----
> Von: Tauzell, Dave <Da...@surescripts.com>
> Gesendet: Montag, 10. Januar 2022 14:30
> An: users@kafka.apache.org
> Betreff: Re: Log4j 1.2
>
> Log4j 2.x isn't a drop-in replacement for 1.x.   It isn't a difficult
> change but somebody does need to go through all the source code and do the
> work.
>
>
> -Dave
>
> From: Brosy, Franziska <Fr...@wido.bv.aok.de>
> Date: Monday, January 10, 2022 at 3:16 AM
> To: users@kafka.apache.org <us...@kafka.apache.org>
> Subject: [EXTERNAL] AW: Log4j 1.2
> Hi Roger,
>
> maybe I wasn't clear enough. I'm not using kafka by myself. I'm customer
> of the MicroStrategy Plattform. MicroStrategy uses Kafka. Here is the
> problem. An old Log4j 1.2 is delivered with kafka.
>
>
> https://urldefense.com/v3/__https://www.apache.org/dyn/closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$
> <
> https://urldefense.com/v3/__https:/www.apache.org/dyn/closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$
> >
> kafka_2.13-3.0.0\libs\log4j-1.2.17.jar
>
> Your advice to cve-2021-44228 is outdated. It is solved in Log4j 2.17!
> So why is kafka delivered with Log4j 1.2 instead of Log4j 2.17??
>
> Stick to a very old version is definitely not secure! Yes, you can use a
> smartphone with Android 4.2 but you wouldn't expect there is an emergency
> to do so - would you?
>
> Can you please tell me when kafka will be upgraded to Log4j at least 2.17?
> Otherwise can you please tell me what's the reason to stick to such an old
> Log4j version and run into security risks?
>
> Best regards
> Franziska
>
>
> -----Ursprüngliche Nachricht-----
> Von: Murilo Tavares <mu...@gmail.com>
> Gesendet: Freitag, 7. Januar 2022 20:23
> An: users@kafka.apache.org
> Betreff: Re: Log4j 1.2
>
> Also worth mentioning the Kafka community has released this official
> announcement:
>
> https://urldefense.com/v3/__https://kafka.apache.org/cve-list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNwaYQJzA$
> <
> https://urldefense.com/v3/__https:/kafka.apache.org/cve-list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNwaYQJzA$
> >
>
>
> On Fri, 7 Jan 2022 at 09:28, Roger Kasinsky <ro...@gmail.com>
> wrote:
>
> > Hi Franziska,
> >
> > When upgrading to Log4J 2.x.x, take extra care not to upgrade to a
> > 2.x.x version that has a more recent serious security flaw, much worse
> > than the one you mentioned. You can read more about it here:
> > https://urldefense.com/v3/__https://access.redhat.com/security/cve/cve
> > -2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskq
> > PDIWy8R-xYG0aDEMAezzM4gV-mDw$<https://urldefense.com/v3/__https:/acces
> > s.redhat.com/security/cve/cve-2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pf
> > MBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzM4gV-mDw$>
> >
> > Thanks!
> >
> > -R
> >
> >
> > On Fri, Jan 7, 2022 at 10:26 AM Brosy, Franziska <
> > Franziska.Brosy@wido.bv.aok.de> wrote:
> >
> > > Hi all,
> > >
> > > can you please tell us why Kafka is still using Log4j 1.2? And when
> > > it is planned to upgrade the Log4j version??
> > > Do you know this security vulnerability?:
> > > https://urldefense.com/v3/__https://logging.apache.org/log4j/1.2/__;
> > > !!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0
> > > aDEMAezzOOQFfqlA$<https://urldefense.com/v3/__https:/logging.apache.
> > > org/log4j/1.2/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu
> > > 3lskqPDIWy8R-xYG0aDEMAezzOOQFfqlA$>
> > >
> > > A security vulnerability, CVE-2019-17571<
> > > https://urldefense.com/v3/__https://www.cvedetails.com/cve/CVE-2019-
> > > 17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDI
> > > Wy8R-xYG0aDEMAezzNT4lvIFw$<https://urldefense.com/v3/__https:/www.cv
> > > edetails.com/cve/CVE-2019-17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGclj
> > > RQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNT4lvIFw$> > has been
> > > identified against Log4j 1. Log4j includes a SocketServer that
> > > accepts serialized
> > log
> > > events and deserializes them without verifying whether the objects
> > > are allowed or not. This can provide an attack vector that can be
> expoited.
> > > Since Log4j 1 is no longer maintained this issue will not be fixed.
> > > Users are urged to upgrade to Log4j 2.
> > >
> > > Best regards
> > > Franziska
> > >
> >
> This e-mail and any files transmitted with it are confidential, may
> contain sensitive information, and are intended solely for the use of the
> individual or entity to whom they are addressed. If you have received this
> e-mail in error, please notify the sender by reply e-mail immediately and
> destroy all copies of the e-mail and any attachments.
>

AW: Log4j 1.2

["Brosy, Franziska" <Fr...@wido.bv.aok.de>]

Well. Hopefully there is someone who is able and willingly to do that work. 
I'm so sorry that I can't help. 

Best regards
Franziska

-----Ursprüngliche Nachricht-----
Von: Tauzell, Dave <Da...@surescripts.com> 
Gesendet: Montag, 10. Januar 2022 14:30
An: users@kafka.apache.org
Betreff: Re: Log4j 1.2

Log4j 2.x isn't a drop-in replacement for 1.x.   It isn't a difficult change but somebody does need to go through all the source code and do the work.


-Dave

From: Brosy, Franziska <Fr...@wido.bv.aok.de>
Date: Monday, January 10, 2022 at 3:16 AM
To: users@kafka.apache.org <us...@kafka.apache.org>
Subject: [EXTERNAL] AW: Log4j 1.2
Hi Roger,

maybe I wasn't clear enough. I'm not using kafka by myself. I'm customer of the MicroStrategy Plattform. MicroStrategy uses Kafka. Here is the problem. An old Log4j 1.2 is delivered with kafka.

https://urldefense.com/v3/__https://www.apache.org/dyn/closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$<https://urldefense.com/v3/__https:/www.apache.org/dyn/closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$>
kafka_2.13-3.0.0\libs\log4j-1.2.17.jar

Your advice to cve-2021-44228 is outdated. It is solved in Log4j 2.17!
So why is kafka delivered with Log4j 1.2 instead of Log4j 2.17??

Stick to a very old version is definitely not secure! Yes, you can use a smartphone with Android 4.2 but you wouldn't expect there is an emergency to do so - would you?

Can you please tell me when kafka will be upgraded to Log4j at least 2.17?
Otherwise can you please tell me what's the reason to stick to such an old Log4j version and run into security risks?

Best regards
Franziska


-----Ursprüngliche Nachricht-----
Von: Murilo Tavares <mu...@gmail.com>
Gesendet: Freitag, 7. Januar 2022 20:23
An: users@kafka.apache.org
Betreff: Re: Log4j 1.2

Also worth mentioning the Kafka community has released this official
announcement:
https://urldefense.com/v3/__https://kafka.apache.org/cve-list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNwaYQJzA$<https://urldefense.com/v3/__https:/kafka.apache.org/cve-list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNwaYQJzA$>


On Fri, 7 Jan 2022 at 09:28, Roger Kasinsky <ro...@gmail.com>
wrote:

> Hi Franziska,
>
> When upgrading to Log4J 2.x.x, take extra care not to upgrade to a 
> 2.x.x version that has a more recent serious security flaw, much worse 
> than the one you mentioned. You can read more about it here:
> https://urldefense.com/v3/__https://access.redhat.com/security/cve/cve
> -2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskq
> PDIWy8R-xYG0aDEMAezzM4gV-mDw$<https://urldefense.com/v3/__https:/acces
> s.redhat.com/security/cve/cve-2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pf
> MBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzM4gV-mDw$>
>
> Thanks!
>
> -R
>
>
> On Fri, Jan 7, 2022 at 10:26 AM Brosy, Franziska < 
> Franziska.Brosy@wido.bv.aok.de> wrote:
>
> > Hi all,
> >
> > can you please tell us why Kafka is still using Log4j 1.2? And when 
> > it is planned to upgrade the Log4j version??
> > Do you know this security vulnerability?:
> > https://urldefense.com/v3/__https://logging.apache.org/log4j/1.2/__;
> > !!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0
> > aDEMAezzOOQFfqlA$<https://urldefense.com/v3/__https:/logging.apache.
> > org/log4j/1.2/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu
> > 3lskqPDIWy8R-xYG0aDEMAezzOOQFfqlA$>
> >
> > A security vulnerability, CVE-2019-17571< 
> > https://urldefense.com/v3/__https://www.cvedetails.com/cve/CVE-2019-
> > 17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDI
> > Wy8R-xYG0aDEMAezzNT4lvIFw$<https://urldefense.com/v3/__https:/www.cv
> > edetails.com/cve/CVE-2019-17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGclj
> > RQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNT4lvIFw$> > has been 
> > identified against Log4j 1. Log4j includes a SocketServer that 
> > accepts serialized
> log
> > events and deserializes them without verifying whether the objects 
> > are allowed or not. This can provide an attack vector that can be expoited.
> > Since Log4j 1 is no longer maintained this issue will not be fixed.
> > Users are urged to upgrade to Log4j 2.
> >
> > Best regards
> > Franziska
> >
>
This e-mail and any files transmitted with it are confidential, may contain sensitive information, and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error, please notify the sender by reply e-mail immediately and destroy all copies of the e-mail and any attachments.

Re: Log4j 1.2

["Tauzell, Dave" <Da...@surescripts.com>]

Log4j 2.x isn’t a drop-in replacement for 1.x.   It isn’t a difficult change but somebody does need to go through all the source code and do the work.


-Dave

From: Brosy, Franziska <Fr...@wido.bv.aok.de>
Date: Monday, January 10, 2022 at 3:16 AM
To: users@kafka.apache.org <us...@kafka.apache.org>
Subject: [EXTERNAL] AW: Log4j 1.2
Hi Roger,

maybe I wasn't clear enough. I'm not using kafka by myself. I'm customer of the MicroStrategy Plattform. MicroStrategy uses Kafka. Here is the problem. An old Log4j 1.2 is delivered with kafka.

https://urldefense.com/v3/__https://www.apache.org/dyn/closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$<https://urldefense.com/v3/__https:/www.apache.org/dyn/closer.cgi?path=*kafka*3.0.0*kafka_2.13-3.0.0.tgz__;Ly8v!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzMT0F_bmQ$>
kafka_2.13-3.0.0\libs\log4j-1.2.17.jar

Your advice to cve-2021-44228 is outdated. It is solved in Log4j 2.17!
So why is kafka delivered with Log4j 1.2 instead of Log4j 2.17??

Stick to a very old version is definitely not secure! Yes, you can use a smartphone with Android 4.2 but you wouldn't expect there is an emergency to do so - would you?

Can you please tell me when kafka will be upgraded to Log4j at least 2.17?
Otherwise can you please tell me what's the reason to stick to such an old Log4j version and run into security risks?

Best regards
Franziska


-----Ursprüngliche Nachricht-----
Von: Murilo Tavares <mu...@gmail.com>
Gesendet: Freitag, 7. Januar 2022 20:23
An: users@kafka.apache.org
Betreff: Re: Log4j 1.2

Also worth mentioning the Kafka community has released this official
announcement:
https://urldefense.com/v3/__https://kafka.apache.org/cve-list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNwaYQJzA$<https://urldefense.com/v3/__https:/kafka.apache.org/cve-list__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNwaYQJzA$>


On Fri, 7 Jan 2022 at 09:28, Roger Kasinsky <ro...@gmail.com>
wrote:

> Hi Franziska,
>
> When upgrading to Log4J 2.x.x, take extra care not to upgrade to a
> 2.x.x version that has a more recent serious security flaw, much worse
> than the one you mentioned. You can read more about it here:
> https://urldefense.com/v3/__https://access.redhat.com/security/cve/cve-2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzM4gV-mDw$<https://urldefense.com/v3/__https:/access.redhat.com/security/cve/cve-2021-44228__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzM4gV-mDw$>
>
> Thanks!
>
> -R
>
>
> On Fri, Jan 7, 2022 at 10:26 AM Brosy, Franziska <
> Franziska.Brosy@wido.bv.aok.de> wrote:
>
> > Hi all,
> >
> > can you please tell us why Kafka is still using Log4j 1.2? And when
> > it is planned to upgrade the Log4j version??
> > Do you know this security vulnerability?:
> > https://urldefense.com/v3/__https://logging.apache.org/log4j/1.2/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzOOQFfqlA$<https://urldefense.com/v3/__https:/logging.apache.org/log4j/1.2/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzOOQFfqlA$>
> >
> > A security vulnerability, CVE-2019-17571<
> > https://urldefense.com/v3/__https://www.cvedetails.com/cve/CVE-2019-17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNT4lvIFw$<https://urldefense.com/v3/__https:/www.cvedetails.com/cve/CVE-2019-17571/__;!!K_cMf-SQz-o!LrFhvuhmLy3pfMBGcljRQDNs7bR9WN7rnggwu3lskqPDIWy8R-xYG0aDEMAezzNT4lvIFw$> > has been identified
> > against Log4j 1. Log4j includes a SocketServer that accepts
> > serialized
> log
> > events and deserializes them without verifying whether the objects
> > are allowed or not. This can provide an attack vector that can be expoited.
> > Since Log4j 1 is no longer maintained this issue will not be fixed.
> > Users are urged to upgrade to Log4j 2.
> >
> > Best regards
> > Franziska
> >
>
This e-mail and any files transmitted with it are confidential, may contain sensitive information, and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error, please notify the sender by reply e-mail immediately and destroy all copies of the e-mail and any attachments.

AW: Log4j 1.2

["Brosy, Franziska" <Fr...@wido.bv.aok.de>]

Hi Roger,

maybe I wasn't clear enough. I'm not using kafka by myself. I'm customer of the MicroStrategy Plattform. MicroStrategy uses Kafka. Here is the problem. An old Log4j 1.2 is delivered with kafka. 

https://www.apache.org/dyn/closer.cgi?path=/kafka/3.0.0/kafka_2.13-3.0.0.tgz
kafka_2.13-3.0.0\libs\log4j-1.2.17.jar

Your advice to cve-2021-44228 is outdated. It is solved in Log4j 2.17!
So why is kafka delivered with Log4j 1.2 instead of Log4j 2.17??

Stick to a very old version is definitely not secure! Yes, you can use a smartphone with Android 4.2 but you wouldn't expect there is an emergency to do so - would you?

Can you please tell me when kafka will be upgraded to Log4j at least 2.17?
Otherwise can you please tell me what's the reason to stick to such an old Log4j version and run into security risks? 

Best regards
Franziska 


-----Ursprüngliche Nachricht-----
Von: Murilo Tavares <mu...@gmail.com> 
Gesendet: Freitag, 7. Januar 2022 20:23
An: users@kafka.apache.org
Betreff: Re: Log4j 1.2

Also worth mentioning the Kafka community has released this official
announcement:
https://kafka.apache.org/cve-list


On Fri, 7 Jan 2022 at 09:28, Roger Kasinsky <ro...@gmail.com>
wrote:

> Hi Franziska,
>
> When upgrading to Log4J 2.x.x, take extra care not to upgrade to a 
> 2.x.x version that has a more recent serious security flaw, much worse 
> than the one you mentioned. You can read more about it here:
> https://access.redhat.com/security/cve/cve-2021-44228
>
> Thanks!
>
> -R
>
>
> On Fri, Jan 7, 2022 at 10:26 AM Brosy, Franziska < 
> Franziska.Brosy@wido.bv.aok.de> wrote:
>
> > Hi all,
> >
> > can you please tell us why Kafka is still using Log4j 1.2? And when 
> > it is planned to upgrade the Log4j version??
> > Do you know this security vulnerability?:
> > https://logging.apache.org/log4j/1.2/
> >
> > A security vulnerability, CVE-2019-17571< 
> > https://www.cvedetails.com/cve/CVE-2019-17571/> has been identified 
> > against Log4j 1. Log4j includes a SocketServer that accepts 
> > serialized
> log
> > events and deserializes them without verifying whether the objects 
> > are allowed or not. This can provide an attack vector that can be expoited.
> > Since Log4j 1 is no longer maintained this issue will not be fixed. 
> > Users are urged to upgrade to Log4j 2.
> >
> > Best regards
> > Franziska
> >
>

Re: Log4j 1.2

[Murilo Tavares <mu...@gmail.com>]

Also worth mentioning the Kafka community has released this official
announcement:
https://kafka.apache.org/cve-list


On Fri, 7 Jan 2022 at 09:28, Roger Kasinsky <ro...@gmail.com>
wrote:

> Hi Franziska,
>
> When upgrading to Log4J 2.x.x, take extra care not to upgrade to a 2.x.x
> version that has a more recent serious security flaw, much worse than the
> one you mentioned. You can read more about it here:
> https://access.redhat.com/security/cve/cve-2021-44228
>
> Thanks!
>
> -R
>
>
> On Fri, Jan 7, 2022 at 10:26 AM Brosy, Franziska <
> Franziska.Brosy@wido.bv.aok.de> wrote:
>
> > Hi all,
> >
> > can you please tell us why Kafka is still using Log4j 1.2? And when it is
> > planned to upgrade the Log4j version??
> > Do you know this security vulnerability?:
> > https://logging.apache.org/log4j/1.2/
> >
> > A security vulnerability, CVE-2019-17571<
> > https://www.cvedetails.com/cve/CVE-2019-17571/> has been identified
> > against Log4j 1. Log4j includes a SocketServer that accepts serialized
> log
> > events and deserializes them without verifying whether the objects are
> > allowed or not. This can provide an attack vector that can be expoited.
> > Since Log4j 1 is no longer maintained this issue will not be fixed. Users
> > are urged to upgrade to Log4j 2.
> >
> > Best regards
> > Franziska
> >
>

Re: Log4j 1.2

[Roger Kasinsky <ro...@gmail.com>]

Hi Franziska,

When upgrading to Log4J 2.x.x, take extra care not to upgrade to a 2.x.x
version that has a more recent serious security flaw, much worse than the
one you mentioned. You can read more about it here:
https://access.redhat.com/security/cve/cve-2021-44228

Thanks!

-R


On Fri, Jan 7, 2022 at 10:26 AM Brosy, Franziska <
Franziska.Brosy@wido.bv.aok.de> wrote:

> Hi all,
>
> can you please tell us why Kafka is still using Log4j 1.2? And when it is
> planned to upgrade the Log4j version??
> Do you know this security vulnerability?:
> https://logging.apache.org/log4j/1.2/
>
> A security vulnerability, CVE-2019-17571<
> https://www.cvedetails.com/cve/CVE-2019-17571/> has been identified
> against Log4j 1. Log4j includes a SocketServer that accepts serialized log
> events and deserializes them without verifying whether the objects are
> allowed or not. This can provide an attack vector that can be expoited.
> Since Log4j 1 is no longer maintained this issue will not be fixed. Users
> are urged to upgrade to Log4j 2.
>
> Best regards
> Franziska
>