You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Deepak Jain <de...@cumulus-systems.com> on 2022/02/11 11:41:24 UTC
RE: Kafka Log4j2.x upgrade plan
Hi Luke,
First of all Congratulations. Thanks for all your contributions.
Please let us know if Kafka is planning to upgrade Log4j to latest version in Kafka future release. Our Customer is eagerly waiting and following with us regarding the same.
Regards,
Deepak
From: Luke Chen <sh...@gmail.com>
Sent: 21 January 2022 12:35
To: Deepak Jain <de...@cumulus-systems.com>
Cc: users@kafka.apache.org; Alap Patwardhan <al...@cumulus-systems.com>
Subject: Re: Kafka Log4j2.x upgrade plan
Hi Deepak,
So far, we don't have an ETA for log4j2.
Please check this discussion: https://issues.apache.org/jira/browse/KAFKA-9366
Thank you.
Luke
On Fri, Jan 21, 2022 at 1:57 PM Deepak Jain <de...@cumulus-systems.com>> wrote:
Hi Luke,
We are using Kafka 2.8.1 Broker/Client system in our prod env. Due to the Log4j vulnerability CVE-2021-44228, CVE-2021-45046, CVE-2021-4104 and CVE-2021-45105, we are waiting for kafka to upgrade to Log4j 2.17.
Our Customers are asking why Kafka is using obsolete log4j1.x version.
Please let us know when Kafka is planned to upgrade the Log4j version?
Thanks in advance.
Regards,
Deepak
RE: Kafka Log4j2.x upgrade plan
Posted by Tom Cooper <co...@tomcooper.dev>.
Hi Deepak,
Kafka 3.0 deprecated Java 8, but (as I understand it) build support will not be removed until Kafka 4.0. Therefore, you can upgrade to the 3.x release which has the log4j fixes and this will still be built with Java 8 support.
Cheers,
Tom Cooper
On Fri, Feb 11, 2022 at 17:41, Deepak Jain <de...@cumulus-systems.com> wrote:
> Hi Luke,
>
> Thanks for your prompt reply.
>
> Our application uses Java 8 but it seems the java 8 support is deprecated from Kafka 3.0.0 release onwards.
>
> Please let us know if Kafka is planning to upgrade Log4j to latest version in Kafka future release (2.8.x) which supports Java 8.
>
> Regards,
> Deepak
>
> From: Luke Chen <sh...@gmail.com>
> Sent: 11 February 2022 18:15
> To: Deepak Jain <de...@cumulus-systems.com>
> Cc: users@kafka.apache.org; Alap Patwardhan <al...@cumulus-systems.com>
> Subject: Re: Kafka Log4j2.x upgrade plan
>
> Hi Deepak,
>
> The PR to upgrade to log4j 2 is already under review. And so far it looks good.
> So I think it's possible to be merged into v3.2.0.
> But still, it's not guaranteed.
>
> PR is here: https://github.com/apache/kafka/pull/7898.
> Welcome to provide comments to make it get merged faster.
>
> Thank you.
> Luke
>
> On Fri, Feb 11, 2022 at 7:41 PM Deepak Jain <de...@cumulus-systems.com>> wrote:
> Hi Luke,
>
> First of all Congratulations. Thanks for all your contributions.
>
> Please let us know if Kafka is planning to upgrade Log4j to latest version in Kafka future release. Our Customer is eagerly waiting and following with us regarding the same.
>
> Regards,
>
> Deepak
>
> From: Luke Chen <sh...@gmail.com>>
> Sent: 21 January 2022 12:35
> To: Deepak Jain <de...@cumulus-systems.com>>
> Cc: users@kafka.apache.org<ma...@kafka.apache.org>; Alap Patwardhan <al...@cumulus-systems.com>>
> Subject: Re: Kafka Log4j2.x upgrade plan
>
> Hi Deepak,
>
> So far, we don't have an ETA for log4j2.
> Please check this discussion: https://issues.apache.org/jira/browse/KAFKA-9366
>
> Thank you.
> Luke
>
> On Fri, Jan 21, 2022 at 1:57 PM Deepak Jain <de...@cumulus-systems.com>> wrote:
> Hi Luke,
>
> We are using Kafka 2.8.1 Broker/Client system in our prod env. Due to the Log4j vulnerability CVE-2021-44228, CVE-2021-45046, CVE-2021-4104 and CVE-2021-45105, we are waiting for kafka to upgrade to Log4j 2.17.
>
> Our Customers are asking why Kafka is using obsolete log4j1.x version.
>
> Please let us know when Kafka is planned to upgrade the Log4j version?
>
> Thanks in advance.
>
> Regards,
> Deepak
RE: Kafka Log4j2.x upgrade plan
Posted by Deepak Jain <de...@cumulus-systems.com>.
Hi Luke,
Thanks for your prompt reply.
Our application uses Java 8 but it seems the java 8 support is deprecated from Kafka 3.0.0 release onwards.
Please let us know if Kafka is planning to upgrade Log4j to latest version in Kafka future release (2.8.x) which supports Java 8.
Regards,
Deepak
From: Luke Chen <sh...@gmail.com>
Sent: 11 February 2022 18:15
To: Deepak Jain <de...@cumulus-systems.com>
Cc: users@kafka.apache.org; Alap Patwardhan <al...@cumulus-systems.com>
Subject: Re: Kafka Log4j2.x upgrade plan
Hi Deepak,
The PR to upgrade to log4j 2 is already under review. And so far it looks good.
So I think it's possible to be merged into v3.2.0.
But still, it's not guaranteed.
PR is here: https://github.com/apache/kafka/pull/7898.
Welcome to provide comments to make it get merged faster.
Thank you.
Luke
On Fri, Feb 11, 2022 at 7:41 PM Deepak Jain <de...@cumulus-systems.com>> wrote:
Hi Luke,
First of all Congratulations. Thanks for all your contributions.
Please let us know if Kafka is planning to upgrade Log4j to latest version in Kafka future release. Our Customer is eagerly waiting and following with us regarding the same.
Regards,
Deepak
From: Luke Chen <sh...@gmail.com>>
Sent: 21 January 2022 12:35
To: Deepak Jain <de...@cumulus-systems.com>>
Cc: users@kafka.apache.org<ma...@kafka.apache.org>; Alap Patwardhan <al...@cumulus-systems.com>>
Subject: Re: Kafka Log4j2.x upgrade plan
Hi Deepak,
So far, we don't have an ETA for log4j2.
Please check this discussion: https://issues.apache.org/jira/browse/KAFKA-9366
Thank you.
Luke
On Fri, Jan 21, 2022 at 1:57 PM Deepak Jain <de...@cumulus-systems.com>> wrote:
Hi Luke,
We are using Kafka 2.8.1 Broker/Client system in our prod env. Due to the Log4j vulnerability CVE-2021-44228, CVE-2021-45046, CVE-2021-4104 and CVE-2021-45105, we are waiting for kafka to upgrade to Log4j 2.17.
Our Customers are asking why Kafka is using obsolete log4j1.x version.
Please let us know when Kafka is planned to upgrade the Log4j version?
Thanks in advance.
Regards,
Deepak
Re: Kafka Log4j2.x upgrade plan
Posted by Luke Chen <sh...@gmail.com>.
Hi Deepak,
The PR to upgrade to log4j 2 is already under review. And so far it looks
good.
So I think it's possible to be merged into v3.2.0.
But still, it's not guaranteed.
PR is here: https://github.com/apache/kafka/pull/7898.
Welcome to provide comments to make it get merged faster.
Thank you.
Luke
On Fri, Feb 11, 2022 at 7:41 PM Deepak Jain <de...@cumulus-systems.com>
wrote:
> Hi Luke,
>
>
>
> First of all Congratulations. Thanks for all your contributions.
>
>
>
> Please let us know if Kafka is planning to upgrade Log4j to latest version
> in Kafka future release. Our Customer is eagerly waiting and following with
> us regarding the same.
>
>
>
> Regards,
>
> Deepak
>
>
>
> *From:* Luke Chen <sh...@gmail.com>
> *Sent:* 21 January 2022 12:35
> *To:* Deepak Jain <de...@cumulus-systems.com>
> *Cc:* users@kafka.apache.org; Alap Patwardhan <al...@cumulus-systems.com>
> *Subject:* Re: Kafka Log4j2.x upgrade plan
>
>
>
> Hi Deepak,
>
>
>
> So far, we don't have an ETA for log4j2.
>
> Please check this discussion:
> https://issues.apache.org/jira/browse/KAFKA-9366
>
>
>
> Thank you.
>
> Luke
>
>
>
> On Fri, Jan 21, 2022 at 1:57 PM Deepak Jain <
> deepak.jain@cumulus-systems.com> wrote:
>
> Hi Luke,
>
> We are using Kafka 2.8.1 Broker/Client system in our prod env. Due to the
> Log4j vulnerability CVE-2021-44228, CVE-2021-45046, CVE-2021-4104 and
> CVE-2021-45105, we are waiting for kafka to upgrade to Log4j 2.17.
>
> Our Customers are asking why Kafka is using obsolete log4j1.x version.
>
> Please let us know when Kafka is planned to upgrade the Log4j version?
>
> Thanks in advance.
>
> Regards,
> Deepak
>
>