Hi Deepak, Kafka 3.0 deprecated Java 8, but (as I understand it) build support will not be removed until Kafka 4.0. Therefore, you can upgrade to the 3.x release which has the log4j fixes and this will still be built with Java 8 support.
Cheers, Tom Cooper On Fri, Feb 11, 2022 at 17:41, Deepak Jain <deepak.j...@cumulus-systems.com> wrote: > Hi Luke, > > Thanks for your prompt reply. > > Our application uses Java 8 but it seems the java 8 support is deprecated > from Kafka 3.0.0 release onwards. > > Please let us know if Kafka is planning to upgrade Log4j to latest version in > Kafka future release (2.8.x) which supports Java 8. > > Regards, > Deepak > > From: Luke Chen <show...@gmail.com> > Sent: 11 February 2022 18:15 > To: Deepak Jain <deepak.j...@cumulus-systems.com> > Cc: users@kafka.apache.org; Alap Patwardhan <a...@cumulus-systems.com> > Subject: Re: Kafka Log4j2.x upgrade plan > > Hi Deepak, > > The PR to upgrade to log4j 2 is already under review. And so far it looks > good. > So I think it's possible to be merged into v3.2.0. > But still, it's not guaranteed. > > PR is here: https://github.com/apache/kafka/pull/7898. > Welcome to provide comments to make it get merged faster. > > Thank you. > Luke > > On Fri, Feb 11, 2022 at 7:41 PM Deepak Jain > <deepak.j...@cumulus-systems.com<mailto:deepak.j...@cumulus-systems.com>> > wrote: > Hi Luke, > > First of all Congratulations. Thanks for all your contributions. > > Please let us know if Kafka is planning to upgrade Log4j to latest version in > Kafka future release. Our Customer is eagerly waiting and following with us > regarding the same. > > Regards, > > Deepak > > From: Luke Chen <show...@gmail.com<mailto:show...@gmail.com>> > Sent: 21 January 2022 12:35 > To: Deepak Jain > <deepak.j...@cumulus-systems.com<mailto:deepak.j...@cumulus-systems.com>> > Cc: users@kafka.apache.org<mailto:users@kafka.apache.org>; Alap Patwardhan > <a...@cumulus-systems.com<mailto:a...@cumulus-systems.com>> > Subject: Re: Kafka Log4j2.x upgrade plan > > Hi Deepak, > > So far, we don't have an ETA for log4j2. > Please check this discussion: https://issues.apache.org/jira/browse/KAFKA-9366 > > Thank you. > Luke > > On Fri, Jan 21, 2022 at 1:57 PM Deepak Jain > <deepak.j...@cumulus-systems.com<mailto:deepak.j...@cumulus-systems.com>> > wrote: > Hi Luke, > > We are using Kafka 2.8.1 Broker/Client system in our prod env. Due to the > Log4j vulnerability CVE-2021-44228, CVE-2021-45046, CVE-2021-4104 and > CVE-2021-45105, we are waiting for kafka to upgrade to Log4j 2.17. > > Our Customers are asking why Kafka is using obsolete log4j1.x version. > > Please let us know when Kafka is planned to upgrade the Log4j version? > > Thanks in advance. > > Regards, > Deepak
