This is an automated email from the ASF dual-hosted git repository.
duhengforever pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/rocketmq-site.git
The following commit(s) were added to refs/heads/master by this push:
new 74020a9 Notes(blog) add CVE-2021-44228 notes
74020a9 is described below
commit 74020a9b63dd70b0c24fa084fbba241c7e0543b5
Author: duhenglucky <[email protected]>
AuthorDate: Thu Dec 16 21:44:11 2021 +0800
Notes(blog) add CVE-2021-44228 notes
---
_posts/2021-12-16-CVE-2021-44228.md | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/_posts/2021-12-16-CVE-2021-44228.md
b/_posts/2021-12-16-CVE-2021-44228.md
new file mode 100644
index 0000000..7a03891
--- /dev/null
+++ b/_posts/2021-12-16-CVE-2021-44228.md
@@ -0,0 +1,12 @@
+---
+title: "Notes on Apache Log4j Zero Day (CVE-2021-44228)"
+categories:
+ - RocketMQ
+---
+
+### Apache RocketMQ is not affected by this CVE-2021-44228.
+
+- Apache RocketMQ does not depend on log4j2 actually, although there are
imports in the pom file.
+- Apache RocketMQ's broker depends on the logback,and RocketMQ's client
depends on log4j2, but its dependency scope is test, and the related
dependencies have been deleted in this PR
[#3635](https://github.com/apache/rocketmq/issues/3635) .
+- Apache RocketMQ's logappender depends on log4j2, but it is optional,
Therefore, the release file does not contain log4j2 related dependencies.
+- Apache RocketMQ still bumped up the log4j2 version in PRs
[#3621](https://github.com/apache/rocketmq/issues/3621)
[#3623](https://github.com/apache/rocketmq/issues/3623), and developers can
cherry-pick related PRs to your private repo to deal with code scanning, and we
expect RocketMQ 4.9.3 to be released in the next 1-2 weeks.
\ No newline at end of file
