Hi Deepak, The PR to upgrade to log4j 2 is already under review. And so far it looks good. So I think it's possible to be merged into v3.2.0. But still, it's not guaranteed.
PR is here: https://github.com/apache/kafka/pull/7898. Welcome to provide comments to make it get merged faster. Thank you. Luke On Fri, Feb 11, 2022 at 7:41 PM Deepak Jain <deepak.j...@cumulus-systems.com> wrote: > Hi Luke, > > > > First of all Congratulations. Thanks for all your contributions. > > > > Please let us know if Kafka is planning to upgrade Log4j to latest version > in Kafka future release. Our Customer is eagerly waiting and following with > us regarding the same. > > > > Regards, > > Deepak > > > > *From:* Luke Chen <show...@gmail.com> > *Sent:* 21 January 2022 12:35 > *To:* Deepak Jain <deepak.j...@cumulus-systems.com> > *Cc:* users@kafka.apache.org; Alap Patwardhan <a...@cumulus-systems.com> > *Subject:* Re: Kafka Log4j2.x upgrade plan > > > > Hi Deepak, > > > > So far, we don't have an ETA for log4j2. > > Please check this discussion: > https://issues.apache.org/jira/browse/KAFKA-9366 > > > > Thank you. > > Luke > > > > On Fri, Jan 21, 2022 at 1:57 PM Deepak Jain < > deepak.j...@cumulus-systems.com> wrote: > > Hi Luke, > > We are using Kafka 2.8.1 Broker/Client system in our prod env. Due to the > Log4j vulnerability CVE-2021-44228, CVE-2021-45046, CVE-2021-4104 and > CVE-2021-45105, we are waiting for kafka to upgrade to Log4j 2.17. > > Our Customers are asking why Kafka is using obsolete log4j1.x version. > > Please let us know when Kafka is planned to upgrade the Log4j version? > > Thanks in advance. > > Regards, > Deepak > >
