Hi Deepak, As Israel mentioned, the core Apache Kafka components do not have any dependencies on log4j2. The only CVE that core Apache Kafka got impacted is CVE-2021-4104. You can check the official announcement for the mitigation methods here: https://kafka.apache.org/cve-list
For the log4j 2.x preview, I don't suggest applying to the production environment. After all, the PR haven't completed code reviewed yet. But you can try it on staging environment, and welcome to report any issue to us. Thank you. Luke On Thu, Dec 23, 2021 at 3:39 AM Israel Ekpo <israele...@gmail.com> wrote: > Currently, the core Apache Kafka components do not have any dependencies > on log4j2 > > There may be Kafka connectors that use log4j2 so you would need to check > with your connector vendors to see if this applies to those connectors. > > If you do not use Kafka connect, then this may not apply to you. > > Here is the official announcement from the Kafka project on this issue > > https://kafka.apache.org/cve-list > > If you are using non-upstream Kafka distro that includes log4j2, then > check with that vendor for additional information > > I hope this helps > > Israel Ekpo > Lead Instructor, IzzyAcademy.com > https://izzyacademy.com/ > > > On Wed, Dec 22, 2021 at 10:58 AM Deepak Jain < > deepak.j...@cumulus-systems.com> wrote: > >> Hi Luke, >> >> We are using Kafka 2.8.1 Broker/Client system in our prod env. Due to the >> Log4j vulnerability CVE-2021-44228, CVE-2021-45046, CVE-2021-4104 and >> CVE-2021-45105, we are waiting for kafka to upgrade to Log4j 2.17. However, >> we came across following link in which there is a preview for the same. >> >> http://home.apache.org/~dongjin/post/apache-kafka-log4j2-support/ >> >> Please let us know if it's safe and stable to upgrade our prod env with >> the preview or do we wait for Kafka official release (Log4j 2.x support >> with Java 8) for the same. >> >> Thanks in advance. >> >> Regards, >> Deepak >> >>
