Kafka Log4J vulnerabilities - Urgent

[Kumar.Mayank2]

Hi Team,

Trust you are doing good and I hope I'm mailing the correct DL (if not kindly 
point me to one) !

This mail is w.r.t Kafka Log4j vulnerabilities. PFB the description -

Log4J 1.x vulnerability with Kafka is a known vulnerability. The published 
workaround is to remove the Appender Classes from the JAR artefact. This has 
already been implemented by DevOps team

Kafka documentation referred from here -   https://kafka.apache.org/cve-list

However our Corporate Security Team wants Log4j 1.x versions to be completely 
removed and/or upgraded to log4j 2.x. We have not come across any published set 
up steps from Kafka documentation.

There is one blog that talks about upgrade proposal but we are unsure whether 
it can be implemented(Blog link below) -

https://cwiki.apache.org/confluence/display/KAFKA/KIP-719%3A+Deprecate+Log4J+Appender#KIP719:DeprecateLog4JAppender-1.Deprecatelog4j-appender

Please advice the best way forward. This is a crucial issue and we are getting 
daily follow ups from the Security Teams .

Thanks,
Mayank

This e-mail and any files transmitted with it are for the sole use of the 
intended recipient(s) and may contain confidential and privileged information. 
If you are not the intended recipient(s), please reply to the sender and 
destroy all copies of the original message. Any unauthorized review, use, 
disclosure, dissemination, forwarding, printing or copying of this email, 
and/or any action taken in reliance on the contents of this e-mail is strictly 
prohibited and may be unlawful. Where permitted by applicable law, this e-mail 
and other e-mail communications sent to and from Cognizant e-mail addresses may 
be monitored.

[FINAL CALL] - Travel Assistance to ApacheCon New Orleans 2022

[Gavin McDonald]

 To all committers and non-committers.

This is a final call to apply for travel/hotel assistance to get to and
stay in New Orleans
for ApacheCon 2022.

Applications have been extended by one week and so the application deadline
is now the 8th July 2022.

The rest of this email is a copy of what has been sent out previously.

We will be supporting ApacheCon North America in New Orleans, Louisiana,
on October 3rd through 6th, 2022.

TAC exists to help those that would like to attend ApacheCon events, but
are unable to do so for financial reasons. This year, We are supporting
both committers and non-committers involved with projects at the
Apache Software Foundation, or open source projects in general.

For more info on this year's applications and qualifying criteria, please
visit the TAC website at http://www.apache.org/travel/
Applications have been extended until the 8th of July 2022.

Important: Applicants have until the closing date above to submit their
applications (which should contain as much supporting material as required
to efficiently and accurately process their request), this will enable TAC
to announce successful awards shortly afterwards.

As usual, TAC expects to deal with a range of applications from a diverse
range of backgrounds. We therefore encourage (as always) anyone thinking
about sending in an application to do so ASAP.

Why should you attend as a TAC recipient? We encourage you to read stories
from
past recipients at https://apache.org/travel/stories/ . Also note that
previous TAC recipients have gone on to become Committers, PMC Members, ASF
Members, Directors of the ASF Board and Infrastructure Staff members.
Others have gone from Committer to full time Open Source Developers!

How far can you go! - Let TAC help get you there.


===

Gavin McDonald on behalf of the Travel Assistance Committee.