Hi, Currently, Apache Kafka with log4j2 is planning to be 4.0, after the 3.5 release. If you are urgent, please have a look at the preview versions here <http://home.apache.org/~dongjin/post/apache-kafka-log4j2-support/> - You can find a custom preview based on 3.0.1, 3.1.1, and 3.2.0.
I wrote KIP-653 and KIP-719, and am maintaining the previews & bug fixes <https://serverfault.com/questions/1088082/kafka-stores-log4j-logs-in-directory-literally-called-kafka-logs-dir/1102589>. I am also working on the docker image, but it is being delayed since I am applying this feature into my employer <https://en.wikipedia.org/wiki/Naver_Corporation>'s internal Kafka distribution. If you experience problems trying the preview, don't hesitate to send me a direct message. Thanks, Dongjin On Tue, Jun 28, 2022 at 12:41 AM <kumar.maya...@cognizant.com> wrote: > Hi Team, > > Trust you are doing good and I hope I'm mailing the correct DL (if not > kindly point me to one) ! > > This mail is w.r.t Kafka Log4j vulnerabilities. PFB the description - > > Log4J 1.x vulnerability with Kafka is a known vulnerability. The published > workaround is to remove the Appender Classes from the JAR artefact. This > has already been implemented by DevOps team > > Kafka documentation referred from here - > https://kafka.apache.org/cve-list > > However our Corporate Security Team wants Log4j 1.x versions to be > completely removed and/or upgraded to log4j 2.x. We have not come across > any published set up steps from Kafka documentation. > > There is one blog that talks about upgrade proposal but we are unsure > whether it can be implemented(Blog link below) - > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-719%3A+Deprecate+Log4J+Appender#KIP719:DeprecateLog4JAppender-1.Deprecatelog4j-appender > > Please advice the best way forward. This is a crucial issue and we are > getting daily follow ups from the Security Teams . > > Thanks, > Mayank > > This e-mail and any files transmitted with it are for the sole use of the > intended recipient(s) and may contain confidential and privileged > information. If you are not the intended recipient(s), please reply to the > sender and destroy all copies of the original message. Any unauthorized > review, use, disclosure, dissemination, forwarding, printing or copying of > this email, and/or any action taken in reliance on the contents of this > e-mail is strictly prohibited and may be unlawful. Where permitted by > applicable law, this e-mail and other e-mail communications sent to and > from Cognizant e-mail addresses may be monitored. > -- *Dongjin Lee* *A hitchhiker in the mathematical world.* *github: <http://goog_969573159/>github.com/dongjinleekr <https://github.com/dongjinleekr>keybase: https://keybase.io/dongjinleekr <https://keybase.io/dongjinleekr>linkedin: kr.linkedin.com/in/dongjinleekr <https://kr.linkedin.com/in/dongjinleekr>speakerdeck: speakerdeck.com/dongjin <https://speakerdeck.com/dongjin>*