All as someone who has been patching all december. There are two aspects to
log4j, the log4j API and the log4j jar version.
It is possible to use log4j 2.17.1 {core,api} without modifying Kafka..
Kafka itself is internally using the log4j api, but the api is implemented
by the patched log4j jars.
We have successfully swapped out zk, kafka jars in this way. ( We were
actually doing it before the vulnerability because we patched the classpath
for log4j to splunk).
Edward
On Fri, Jan 21, 2022 at 2:05 AM Luke Chen <show...@gmail.com> wrote:
> Hi Deepak,
>
> So far, we don't have an ETA for log4j2.
> Please check this discussion:
> https://issues.apache.org/jira/browse/KAFKA-9366
>
> Thank you.
> Luke
>
> On Fri, Jan 21, 2022 at 1:57 PM Deepak Jain <
> deepak.j...@cumulus-systems.com>
> wrote:
>
> > Hi Luke,
> >
> > We are using Kafka 2.8.1 Broker/Client system in our prod env. Due to the
> > Log4j vulnerability CVE-2021-44228, CVE-2021-45046, CVE-2021-4104 and
> > CVE-2021-45105, we are waiting for kafka to upgrade to Log4j 2.17.
> >
> > Our Customers are asking why Kafka is using obsolete log4j1.x version.
> >
> > Please let us know when Kafka is planned to upgrade the Log4j version?
> >
> > Thanks in advance.
> >
> > Regards,
> > Deepak
> >
> >
>
