Hi everyone, I'm sure we're all tired of talking about Log4j, so thank you for your patience. I understand and acknowledge all the details on https://kafka.apache.org/cve-list, but some more cautious organizations out there still want to upgrade/patch anyway.
It seems like v3.2.0 has a lot of fantastic work in progress to upgrade to Log4j2: - https://cwiki.apache.org/confluence/display/KAFKA/KIP-653%3A+Upgrade+log4j+to+log4j2 - https://cwiki.apache.org/confluence/display/KAFKA/KIP-719%3A+Deprecate+Log4J+Appender - https://issues.apache.org/jira/browse/KAFKA-9366 - https://github.com/apache/kafka/pull/7898 And right now that seems like it will possibly make it out in April 2022 ( https://cwiki.apache.org/confluence/display/KAFKA/Release+Plan+3.2.0) which is great, but it's also a big version jump for organizations running older 2.x versions. Is there a corresponding plan to patch Log4j usage in the 2.8.x release line at all? I know there was some discussion of Reload4j on https://issues.apache.org/jira/browse/KAFKA-13660, but that seems like it has stalled out. Worst case, I realize there are workarounds as well, but it's preferable to not have to modify release JARs if I don't have to. I completely understand the complexity and enormity of this issue after looking through all the PRs, Jiras, KIPs, etc. Thank you for your time and a big thank you for all the hard work on making Kafka so awesome to use. ~Brent
