Hi Team, Trust you are doing good and I hope I'm mailing the correct DL (if not kindly point me to one) !
This mail is w.r.t Kafka Log4j vulnerabilities. PFB the description - Log4J 1.x vulnerability with Kafka is a known vulnerability. The published workaround is to remove the Appender Classes from the JAR artefact. This has already been implemented by DevOps team Kafka documentation referred from here - https://kafka.apache.org/cve-list However our Corporate Security Team wants Log4j 1.x versions to be completely removed and/or upgraded to log4j 2.x. We have not come across any published set up steps from Kafka documentation. There is one blog that talks about upgrade proposal but we are unsure whether it can be implemented(Blog link below) - https://cwiki.apache.org/confluence/display/KAFKA/KIP-719%3A+Deprecate+Log4J+Appender#KIP719:DeprecateLog4JAppender-1.Deprecatelog4j-appender Please advice the best way forward. This is a crucial issue and we are getting daily follow ups from the Security Teams . Thanks, Mayank This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.
