Is cp-kafka-connect-base image still using confluent forked log4j v1.x?

Hi there,

We are using cp-kafka-connect-base v 5.3. 1 community image for our self managed connectors.

From December 2021 Log4j Vulnerabilities Advisory, it says

Confluent’s community package does not include or rely upon Log4j 2.x. The community package also relies upon Confluent’s fork of Log4j 1.x (confluent-log4j), which is not vulnerable to CVE-2021-44228. The community package does not ship with JMS Appender configured by default, which means the Confluent community package is not impacted by CVE-2021-4104.

Can anyone from confluent confirm that it is still applied for latest and future version cp-kafka-connect-base community images?

Best Regards,


These images are open source, so you’re welcome to figure this out from the repo.