Is Confluent (7.0) with bundled LOG4J vulnerability?

Hi. Is the current version of Confluent (7.0) and the bundled LOG4J version, open to this new vulnerability ?

According to , yes. has the mitigation required.

Would the mitigation suggested here with this property on broker work?


That’s a jvm argument. And it should work

Yup, KAFKA_ARGS should be able to take it in your service file

-Dlog4j2.formatMsgNoLookups=true in confirms working preventing log4j2 vulnerability log4shell.

Thanks for all the good info people!

Where do you see that Confluent Kafka is vulnerable? Core Kafka uses log4j 1.2.17. As far as I can tell, Confluent uses a repackaged version of log4j 1.2 with security patches.

PR-365 - Upgrade log4j2 to 2.13.2 PR-371 - KAFKA-12756: Update ZooKeeper to v3.6.3

If you have a confluent support contract I strongly recommend checking out

For Confluent Cloud customers, is there a way to view what version the cluster is running so we can confirm the security patches have been applied?