[KAFKA-9366] Upgrade log4j to log4j2 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: In Progress
Priority: Critical
Resolution: Unresolved
Affects Version/s: 2.2.0, 2.1.1, 2.3.0, 2.4.0
Fix Version/s: 4.0.0
Component/s: core
Labels:
- needs-kip

Description

CVE-2019-17571 Detail

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571

Attachments

Issue Links

Dependent

KAFKA-13604 Add pluggable logging framework support

Open

is blocked by

KAFKA-10877 Instantiating loggers for every FetchContext causes low request handler idle pool ratio.

Open

is depended upon by

KAFKA-12399 Deprecate Log4J Appender KIP-719

In Progress

is duplicated by

KAFKA-13616 Log4j 1.X CVE-2022-23302/5/7 vulnerabilities

Resolved

KAFKA-13729 Kafka Core Components and other projects (like broker) using older version of the log4j 1.x, need to update 2.x

Resolved

KAFKA-13534 Upgrade Log4j to 2.15.0 - CVE-2021-44228

Resolved

is related to

KAFKA-13534 Upgrade Log4j to 2.15.0 - CVE-2021-44228

Resolved

relates to

KAFKA-13625 Fix inconsistency in dynamic application log levels

In Progress

links to

GitHub Pull Request #7898

mentioned in: Page Loading...

(1 is duplicated by, 1 is related to, 1 relates to, 1 links to, 1 mentioned in)

Activity

People

Assignee:: Dongjin Lee

Reporter:: leibo

Votes:: 23 Vote for this issue

Watchers:: 37 Start watching this issue

Dates

Created:: 06/Jan/20 02:05

Updated:: 21/May/23 18:00