[
https://issues.apache.org/jira/browse/KAFKA-13660?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17513214#comment-17513214
]
Vikash Mishra commented on KAFKA-13660:
---------------------------------------
Hi [~cadonna] [~tombentley] , do we have any clarity on whether this will be
taken up in either of 3.1.1 or 3.2 after log4j2 upgrade has been kicked out of
3.2.
I see no update confirming the same in the discussion thread here:
[https://lists.apache.org/thread/qo1y3249xldt4cpg6r8zkcq5m1q32bf1]
Community has been waiting for months for log4j2 upgrade for Kafka, especially
considering that current log4j version used in Kafka is out of support for long
and hence always a threat apart from current CVE issues. So, at least having an
alternative in form of reload4j in 3.1.1 and 3.2 would be a relief for all the
Kafka users out there.
Thanks
> Replace log4j with reload4j
> ---------------------------
>
> Key: KAFKA-13660
> URL: https://issues.apache.org/jira/browse/KAFKA-13660
> Project: Kafka
> Issue Type: Bug
> Components: logging
> Affects Versions: 2.4.0, 3.0.0
> Reporter: Mike Lothian
> Priority: Major
>
> Kafka is using a known vulnerable version of log4j, the reload4j project was
> created by the code's original authors to address those issues. It is
> designed as a drop in replacement without any api changes
>
> https://reload4j.qos.ch/
>
> I've raised a merge request, replacing log4j with reload4j, slf4j-log4j12
> with slf4j-reload4j and bumping the slf4j version
>
> This is my first time contributing to the Kafka project and I'm not too
> familiar with the process, I'll go back and amend my PR with this issue number
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
