lhotari commented on issue #13899: URL: https://github.com/apache/pulsar/issues/13899#issuecomment-1026522349
> pulsar rely on LOG4j1.x. Is it affected by vulnerability [CVE-2022-23302](https://github.com/advisories/GHSA-w9p3-5cr8-m3jj)/23305/23307? > > version:v2.7.4, v2.7.1, v2.5.0, 2.4.2 @gengyuanzhe I'm sorry I don't have a direct answer for your question. Pulsar versions before 2.7.4, 2.8.2 and 2.9.1 contain vulnerable versions of Log4j 2.x which contain CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832. There was a blog post about Log4Shell: https://pulsar.apache.org/blog/2021/12/11/Log4j-CVE/ . The recent Pulsar versions 2.7.4, 2.8.2 and 2.9.1 don't use Log4J 1.x. Log4J 1.x is included in some older versions of Pulsar distribution. If you have concerns, please consult a security expert. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
