Log4j plans for 2.8.x release line

[Brent <br...@gmail.com>]

Hi everyone,

I'm sure we're all tired of talking about Log4j, so thank you for your
patience.  I understand and acknowledge all the details on
https://kafka.apache.org/cve-list, but some more cautious organizations out
there still want to upgrade/patch anyway.

It seems like v3.2.0 has a lot of fantastic work in progress to upgrade to
Log4j2:
-
https://cwiki.apache.org/confluence/display/KAFKA/KIP-653%3A+Upgrade+log4j+to+log4j2
-
https://cwiki.apache.org/confluence/display/KAFKA/KIP-719%3A+Deprecate+Log4J+Appender
- https://issues.apache.org/jira/browse/KAFKA-9366
- https://github.com/apache/kafka/pull/7898
And right now that seems like it will possibly make it out in April 2022 (
https://cwiki.apache.org/confluence/display/KAFKA/Release+Plan+3.2.0) which
is great, but it's also a big version jump for organizations running older
2.x versions.

Is there a corresponding plan to patch Log4j usage in the 2.8.x release
line at all?

I know there was some discussion of Reload4j on
https://issues.apache.org/jira/browse/KAFKA-13660, but that seems like it
has stalled out.  Worst case, I realize there are workarounds as well, but
it's preferable to not have to modify release JARs if I don't have to.

I completely understand the complexity and enormity of this issue after
looking through all the PRs, Jiras, KIPs, etc.  Thank you for your time and
a big thank you for all the hard work on making Kafka so awesome to use.

~Brent