Hi Luke, Thanks for your clarification. Just one more query:
Since, we do not use the JMS Appender so do we need to apply the mitigation mentioned in the below link for CVE-2021-4104. https://kafka.apache.org/cve-list Regards, Deepak -----Original Message----- From: Luke Chen <show...@gmail.com> Sent: 23 December 2021 09:15 To: Israel Ekpo <israele...@gmail.com> Cc: Users <users@kafka.apache.org> Subject: Re: Log4j 2.x preview for Kafka Hi Deepak, As Israel mentioned, the core Apache Kafka components do not have any dependencies on log4j2. The only CVE that core Apache Kafka got impacted is CVE-2021-4104. You can check the official announcement for the mitigation methods here: https://kafka.apache.org/cve-list For the log4j 2.x preview, I don't suggest applying to the production environment. After all, the PR haven't completed code reviewed yet. But you can try it on staging environment, and welcome to report any issue to us. Thank you. Luke On Thu, Dec 23, 2021 at 3:39 AM Israel Ekpo <israele...@gmail.com> wrote: > Currently, the core Apache Kafka components do not have any > dependencies on log4j2 > > There may be Kafka connectors that use log4j2 so you would need to > check with your connector vendors to see if this applies to those connectors. > > If you do not use Kafka connect, then this may not apply to you. > > Here is the official announcement from the Kafka project on this issue > > https://kafka.apache.org/cve-list > > If you are using non-upstream Kafka distro that includes log4j2, then > check with that vendor for additional information > > I hope this helps > > Israel Ekpo > Lead Instructor, IzzyAcademy.com > https://izzyacademy.com/ > > > On Wed, Dec 22, 2021 at 10:58 AM Deepak Jain < > deepak.j...@cumulus-systems.com> wrote: > >> Hi Luke, >> >> We are using Kafka 2.8.1 Broker/Client system in our prod env. Due to >> the Log4j vulnerability CVE-2021-44228, CVE-2021-45046, CVE-2021-4104 >> and CVE-2021-45105, we are waiting for kafka to upgrade to Log4j >> 2.17. However, we came across following link in which there is a preview for >> the same. >> >> http://home.apache.org/~dongjin/post/apache-kafka-log4j2-support/ >> >> Please let us know if it's safe and stable to upgrade our prod env >> with the preview or do we wait for Kafka official release (Log4j 2.x >> support with Java 8) for the same. >> >> Thanks in advance. >> >> Regards, >> Deepak >> >>
