Hi Israel, Thanks for your prompt response but it didn't resolve my query. We are mainly concern about the CVE-2021-4104 vulnerability as Log4j 1.x is use by the core components which are being currently used in our prod env. I just want to know whether the preview in the following link (which uses latest kafka with Log4j2) is the stable and official release from the Apache kafka community and can we use it in our production environment.
If not, then since we do not use the JMS Appender so do we wait for the Apache kafka to officially release the Kafka version which uses Log4j2 and is compatible with Java 8. Regards, Deepak ________________________________ From: Israel Ekpo <israele...@gmail.com> Sent: Thursday, December 23, 2021 1:09:13 AM To: Users <users@kafka.apache.org> Cc: Luke Chen <show...@gmail.com> Subject: Re: Log4j 2.x preview for Kafka Currently, the core Apache Kafka components do not have any dependencies on log4j2 There may be Kafka connectors that use log4j2 so you would need to check with your connector vendors to see if this applies to those connectors. If you do not use Kafka connect, then this may not apply to you. Here is the official announcement from the Kafka project on this issue https://kafka.apache.org/cve-list If you are using non-upstream Kafka distro that includes log4j2, then check with that vendor for additional information I hope this helps Israel Ekpo Lead Instructor, IzzyAcademy.com https://izzyacademy.com/ On Wed, Dec 22, 2021 at 10:58 AM Deepak Jain < deepak.j...@cumulus-systems.com> wrote: > Hi Luke, > > We are using Kafka 2.8.1 Broker/Client system in our prod env. Due to the > Log4j vulnerability CVE-2021-44228, CVE-2021-45046, CVE-2021-4104 and > CVE-2021-45105, we are waiting for kafka to upgrade to Log4j 2.17. However, > we came across following link in which there is a preview for the same. > > http://home.apache.org/~dongjin/post/apache-kafka-log4j2-support/ > > Please let us know if it's safe and stable to upgrade our prod env with > the preview or do we wait for Kafka official release (Log4j 2.x support > with Java 8) for the same. > > Thanks in advance. > > Regards, > Deepak > >
