Hi Sandip, We plan to replace log4j with reload4j in v3.2.0 and v3.1.1. (KAFKA-13660 <https://issues.apache.org/jira/browse/KAFKA-13660>) And plan to upgrade to log4j2 in v4.0.0.
You can check this discussion thread for more details: https://lists.apache.org/thread/qo1y3249xldt4cpg6r8zkcq5m1q32bf1 Thank you. Luke On Tue, Mar 29, 2022 at 10:18 PM Sandip Bhunia <sandip.bhu...@tcs.com.invalid> wrote: > Dear Team, > > We are getting vulnerability due to Log4j- v1.2.17 jar being used in > Kafka_2.11-2.4.0. > We tried to upgrade the same to Kafka_2.13-3.1.0 to remediate > vulnerability due to Log4j- v1.2.17 (obsolete version- Log4j 1.x has > reached End of Life in 2015 and is no longer supported.) but found this > version of Kafka do not use Log4j v2.X > > As per your website there is no such information available. Please let us > know when this will get upgraded. Please us know how to get this > vulnerability remediated as we need to upgrade Log4j to v2.x > > > > *Thanks & Regards,* > *Sandip Bhunia* > > *Cell: 9932245061 **Em@il* <Em@il> *: **sandip.bhu...@tcs.com* > <sandip.bhu...@tcs.com> > > > *Advance Notice of Holidays: * > > > > > =====-----=====-----===== > Notice: The information contained in this e-mail > message and/or attachments to it may contain > confidential or privileged information. If you are > not the intended recipient, any dissemination, use, > review, distribution, printing or copying of the > information contained in this e-mail message > and/or attachments to it are strictly prohibited. If > you have received this communication in error, > please notify us by reply e-mail or telephone and > immediately and permanently delete the message > and any attachments. Thank you > >
