Upgrade log4j dependency to supported version
robertjgtoth opened this issue · comments
At the moment, the slf4j-log4j12
binding for log4j 1.2 is being used for logging, which pulls in log4j 1.2.17 as a dependency.
embedded-kafka/project/Dependencies.scala
Line 15 in b44b1d2
Log4j 1.2 has been end-of-life since 2015, and suffers from several major vulnerabilities (for example https://www.cvedetails.com/cve/CVE-2022-23305/ and https://www.cvedetails.com/cve/CVE-2021-4104/).
Many software organizations have security policies which prohibit using libraries which depend on software with such high-visibility security issues (even in test), and as such are unable to use your library, even though they'd really like to.
Replacing the slf4j-log4j12
library with a binding for log4j 2.x (for example https://logging.apache.org/log4j/2.x/log4j-slf4j-impl/), or replacing use of log4j with another logging framework such as logback or JCL would be a good step for the security of this library.
Hi @robertjgtoth , thank you for your message.
Kafka itself is the main reason this library is relying on log4j
. Apache is aware of the vulnerability (see this issue) and they stated that
We plan to move to log4j2 in the next major release 4.0.0.
That been said, this library pulls log4j
only in the test
scope, so is not enforcing the dependency onto its clients.
Hope this helps, cheers
Apache Kafka is using reload4j which doesn't have the the vulnerabilities mentioned.