cnauroth commented on a change in pull request #34: URL: https://github.com/apache/hadoop-site/pull/34#discussion_r772054914
########## File path: src/cve_list.md ########## @@ -233,3 +233,19 @@ target encryption zone. - **Reported Date**: 2016/11/18 - **Issue Announced**: 2017/11/08 ([general@hadoop](https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f@%3Cgeneral.hadoop.apache.org%3E)) +# Thirdparty vulnerabilities +The following section describes thirdparty vulnerabilities that may be of interest to Hadoop users. Please contact the respective project owners for details. + +## [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) Log4JShell Vulnerability + +It is understood that the log4jshell vulnerability CVE-2021-44228 impacts log4j2. Hadoop, as of 3.3.x depends on log4j 1.x, which is **NOT** susceptible to the attack. Once we migrate over to log4j2, we will adopt a version that is not susceptible to the attack, too. Therefore, no ASF version of Hadoop has ever been vulnerable. Third party products and applications based on Hadoop *may* be vulnerable, please consult the vendor or the project owner. Review comment: Nitpick: 2 spaces between "products" and "and". ########## File path: content/cve_list.html ########## @@ -350,6 +350,19 @@ <h2 id="cve-2017-3166httpcvemitreorgcgi-bincvenamecginamecve-2017-3166-apache-ha <li><strong>Reported Date</strong>: 2016/11/18</li> <li><strong>Issue Announced</strong>: 2017/11/08 (<a href="https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f@%3Cgeneral.hadoop.apache.org%3E";>general@hadoop</a>)</li> </ul> +<h1 id="thirdparty-vulnerabilities">Thirdparty vulnerabilities</h1> +<p>The following section describes thirdparty vulnerabilities that may be of interest to Hadoop users. Please contact the respective project owners for details.</p> +<h2 id="cve-2021-44228httpscvemitreorgcgi-bincvenamecginamecve-2021-44228-log4jshell-vulnerability"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228";>CVE-2021-44228</a> Log4JShell Vulnerability</h2> +<p>It is understood that the log4jshell vulnerability CVE-2021-44228 impacts log4j2. Hadoop, as of 3.3.x depends on log4j 1.x, which is <strong>NOT</strong> susceptible to the attack. Once we migrate over to log4j2, we will adopt a version that is not susceptible to the attack, too. Therefore, no ASF version of Hadoop has ever been vulnerable. Third party products and applications based on Hadoop <em>may</em> be vulnerable, please consult the vendor or the project owner.</p> Review comment: Nitpick: 2 spaces between "products" and "and". -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
