Hi Ashok, Kafka 2.7.1 was built from the 2.7.1 tag [1] and looking at the dependencies in that version [2], it should have shipped with 1.2.17. You can verify this by looking for the log4j jar in your installation. Because of the security vulnerabilities you mention, Kafka switched to reload4j in [3] around 3.2.0, and last upgraded reload4j in 3.6.0 [4].
You should consider upgrading to a more recent version of Kafka (recommended, as 2.7 is well out-of-support) or consider swapping out the log4j jar with a recent version of reload4j (not recommended). [1] https://github.com/apache/kafka/tree/2.7.1 [2] https://github.com/apache/kafka/blob/61dbce85d0d41457d81a4096ecaea049f3a4b3ae/gradle/dependencies.gradle#L76 [3] https://issues.apache.org/jira/browse/KAFKA-13660 [4] https://github.com/apache/kafka/pull/13673 Thanks, Greg On Thu, May 16, 2024 at 5:50 AM Ashok Kumar Ragupathi <aragupa...@denovosystem.com.invalid> wrote: > > Hello Kafka Team, > > Request your help... > > We are using Apache Kafka kafka_2.13-2.7.1 & installed on a server. > > I understand it uses log4j java for logger purposes. > > But we don't know, what is the log4j version it is using? > > Recently we came to know that log4j_1.2.17 has some security issues, how to > upgrade the log4j_v2 version? how to find what version internally it uses > or refers ? > > Thanks & Regards > Ashok Kumar > Denovo Systems
