OSSEVA FOR APACHE KAFKA
Real Apache Kafka. Patched. Operated. No per-core surprise.
CVE patches for Kafka 2.8 through 3.x, reference architectures for high-throughput clusters, and 24/7 managed operations — without Confluent's $50K+ annual floor.
Why now
Confluent pricing: $50K–$500K+ annually
Confluent Cloud and Confluent Platform are priced for platform vendor margins. Customers running real Apache Kafka workloads pay for features they don't use. OSSeva lets you keep the runtime you have at a fraction of the cost.
Kafka 2.8.x: past community maintenance window
Kafka 2.8.x and earlier are outside the community support window. CVEs accumulate. OSSeva ships patches for versions your team is actually running.
Compliance requires a patched runtime
Financial Services, Healthcare, and Public Sector all require evidence that your event streaming runtime receives security patches. An unsupported Kafka version fails that evidence test.
Versions covered
All versions below receive active CVE patches from OSSeva. Version numbers in monospace are exact release identifiers.
| Version | Status | Active CVEs |
|---|---|---|
| 2.8.x | Extended | Clean |
| 3.0.x | Extended | Clean |
| 3.3.x | Extended | Clean |
| 3.6.x | Current | Clean |
| 3.7.x | Current | Clean |
What you get
Three tiers — pick the level of engagement that matches your team's operational needs and compliance requirements.
OSSeva Patch
CVE remediation for the Kafka version you're actually running.
- Quarterly CVE patches for covered versions
- Signed artifacts via OSSeva registry
- Broker & client library patches
- Vulnerability disclosure notifications
- Architecture review
- 24/7 managed operations
OSSeva Assure
Patch plus architecture review and compliance documentation.
- Everything in Patch
- Cluster configuration audit
- Throughput & latency review
- Compliance attestation package
- Migration design from Confluent Platform
- 24/7 managed operations
OSSeva Operate
Full MSP: broker fleet monitoring, incident response, named SREs.
- Everything in Assure
- 24/7 broker & consumer-lag monitoring
- 15-minute P1 incident response SLA
- Capacity planning & scaling operations
- Kafka Streams / Connect operational support
- Quarterly architecture reviews
All tiers priced per cluster/application — not per core. Contact for pricing →
How it installs
OSSeva artifacts arrive via your existing package infrastructure. Pull the patched version the same way you pull upstream today — just from the OSSeva registry.
helm repo add osseva https://charts.osseva.io
helm install kafka osseva/kafka \
--version 3.6.2-osseva-1 \
--namespace streaming \
--set replicaCount=3 \
--set zookeeper.enabled=false \
--set kraft.enabled=trueMigrate from Confluent Platform / Confluent Cloud
Confluent adds a proprietary layer (Schema Registry, ksqlDB, Control Center) on top of Apache Kafka. If you're not using those Confluent-specific features, you're paying for them anyway. OSSeva migrates you back to upstream Apache Kafka with no data loss and full CVE coverage.
Pricing model
OSSeva for Kafka is priced per cluster, not per broker, partition, or throughput tier.
Compliance library
Frequently asked questions
Which versions of RabbitMQ are past community end-of-life?
RabbitMQ 3.8.x, 3.9.x, 3.10.x, 3.11.x, and 3.12.x have all reached community EOL — meaning no further security patches or CVE fixes are released by the RabbitMQ maintainers for those versions. RabbitMQ 3.13.x reached EOL in late 2024. OSSeva delivers backported CVE patches for 3.11 through 3.13.
Which PostgreSQL versions are no longer receiving community security patches?
PostgreSQL 9.6 through 13 have all reached community EOL. PostgreSQL 11 reached EOL November 2023, PostgreSQL 12 reached EOL November 2024, and PostgreSQL 13 reaches EOL November 2025. OSSeva provides extended security patching for PostgreSQL 11, 12, and 13 for teams that cannot immediately migrate to PG 14 or later.
Is Spring Framework 5.3.x still supported?
Spring Framework 5.3.x reached its community OSS EOL on December 31, 2024. Broadcom's commercial support for Spring 5.3.x is also no longer available under standard terms. OSSeva delivers backported CVE patches for Spring Framework 5.3.x and Spring Boot 2.7.x under our extended lifecycle support program.
Which versions of Apache Kafka are EOL?
Apache Kafka versions 2.x and 3.0 through 3.4 are past their community supported window, meaning no further patch releases. Kafka 3.5 and 3.6 have reached or are approaching EOL. OSSeva supports Kafka 2.8 through 3.5 with backported security patches and compliance documentation.
What happened to Redis licensing? Can I still use Redis for free?
In March 2024, Redis Ltd. changed the Redis license from BSD-3-Clause to the Business Source License (BSL 1.1), which restricts use in competing database products. The Valkey project (a Linux Foundation fork) continues under BSD-3-Clause. OSSeva maintains BSD-licensed, CVE-patched builds of Redis 6.2 and 7.0 for enterprises that need verifiable open-source licensing alongside security coverage.
Is Node.js 18 still receiving security patches?
Node.js 18 (LTS 'Hydrogen') reached its end-of-life date in April 2025 and no longer receives security releases from the Node.js project. OSSeva delivers CVE patches for Node.js 18 for enterprise teams that have not yet migrated to Node.js 20 or 22.
Is Apache Tomcat 8.5 still supported?
Apache Tomcat 8.5 reached its community EOL in March 2024. OSSeva provides extended security patching for Tomcat 8.5.x for teams running Java EE 7 workloads that cannot immediately migrate to Tomcat 9.0 or 10.1.
What .NET versions does OSSeva support?
.NET 6 reached Microsoft end-of-support in November 2024. .NET 7 reached EOL in May 2024. OSSeva delivers CVE patches for .NET 6 and .NET 7 for teams that have not yet migrated to .NET 8 (LTS, supported through November 2026).
Ready to get Apache Kafka patched and supported?
Start with a 45-minute discovery call. We confirm your version coverage, scope the engagement, and have you onboarded within your first quarter.