Hi Arvinder, You are correct; tlp-stress includes Log4j as one of its libraries and users will need to update the JAR file.
On 16th December 2021, tlp-stress was updated [1] to include Log4j 2.16.0 which fixed CVE-2021-45046. Version 5.0.0 was released which included this change. Unfortunately, further security issues were identified in Log4j v2.16.0. On 10th January 2022, tlp-stress was updated again <https://github.com/thelastpickle/tlp-stress/commit/2d4542c27d3f1c0e24899c01247b9a8ee3c9a238> [2] to include Log4j 2.17.1 which fixed CVE-2021-45105 and CVE-2021-44832 [2]. A new version of tlp-stress will be released soon which will include these updates. For now please build and use the latest version of the master branch to get the latest patch. Kind regards, Anthony [1] https://github.com/thelastpickle/tlp-stress/commit/298135e2bfc6d4d23f04154f098c3592dd3b32f0 [2] https://github.com/thelastpickle/tlp-stress/commit/2d4542c27d3f1c0e24899c01247b9a8ee3c9a238 On Tue, 11 Jan 2022 at 16:56, Arvinder Dhillon <dhillona...@gmail.com> wrote: > If anyone uses tlp-stress tool, it uses Log4j. It might not be in use most > of the time, you might want to remove/upgrade the jar. > > On Mon, Dec 13, 2021 at 3:58 PM Bowen Song <bo...@bso.ng> wrote: > >> Do you mean the log4j-over-slf4j-#.jar? If so, please read: >> http://slf4j.org/log4shell.html >> >> On 13/12/2021 23:48, Rahul Reddy wrote: >> >> Hello, >> >> >> I see this jar log4j-over-slf4j-1.7.7.jar does it have any impact on >> it? Why that jar is used for ? >> >> >> >> On Sat, Dec 11, 2021 at 12:45 PM Brandon Williams <dri...@gmail.com> >> wrote: >> >>> https://issues.apache.org/jira/browse/CASSANDRA-5883 >>> >>> As that ticket shows, Apache Cassandra has never used log4j2. >>> >>> On Sat, Dec 11, 2021 at 11:07 AM Abdul Patel <abd786...@gmail.com> >>> wrote: >>> > >>> > Hi all, >>> > >>> > Any idea if any of open source Cassandra versions are impacted with >>> log4j vulnerability which was reported on dec 9th >>> >>
