Currently, the core Apache Kafka components do not have any dependencies on log4j2
There may be Kafka connectors that use log4j2 so you would need to check with your connector vendors to see if this applies to those connectors. If you do not use Kafka connect, then this may not apply to you. Here is the official announcement from the Kafka project on this issue https://kafka.apache.org/cve-list If you are using non-upstream Kafka distro that includes log4j2, then check with that vendor for additional information I hope this helps Israel Ekpo Lead Instructor, IzzyAcademy.com https://izzyacademy.com/ On Wed, Dec 22, 2021 at 10:58 AM Deepak Jain < deepak.j...@cumulus-systems.com> wrote: > Hi Luke, > > We are using Kafka 2.8.1 Broker/Client system in our prod env. Due to the > Log4j vulnerability CVE-2021-44228, CVE-2021-45046, CVE-2021-4104 and > CVE-2021-45105, we are waiting for kafka to upgrade to Log4j 2.17. However, > we came across following link in which there is a preview for the same. > > http://home.apache.org/~dongjin/post/apache-kafka-log4j2-support/ > > Please let us know if it's safe and stable to upgrade our prod env with > the preview or do we wait for Kafka official release (Log4j 2.x support > with Java 8) for the same. > > Thanks in advance. > > Regards, > Deepak > >
