tasanuma commented on a change in pull request #34: URL: https://github.com/apache/hadoop-site/pull/34#discussion_r772070014
########## File path: src/cve_list.md ########## @@ -233,3 +233,19 @@ target encryption zone. - **Reported Date**: 2016/11/18 - **Issue Announced**: 2017/11/08 ([general@hadoop](https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f@%3Cgeneral.hadoop.apache.org%3E)) +# Thirdparty vulnerabilities +The following section describes thirdparty vulnerabilities that may be of interest to Hadoop users. Please contact the respective project owners for details. + +## [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) Log4JShell Vulnerability + +It is understood that the log4jshell vulnerability CVE-2021-44228 impacts log4j2. Hadoop, as of 3.3.x depends on log4j 1.x, which is **NOT** susceptible to the attack. Once we migrate over to log4j2, we will adopt a version that is not susceptible to the attack, too. Therefore, no ASF version of Hadoop has ever been vulnerable. Third party products and applications based on Hadoop *may* be vulnerable, please consult the vendor or the project owner. + +- **Versions affected**: N/A + +## [CVE-2021-4104](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104) Log4JShell Vulnerability + +JMSAppender in Log4j 1.2, used by all versions of Apache Hadoop, is vulnerable to the Log4JShell attack in a similar fashion to CVE-2021-4428. However, the JMSAppender is not the default configuration shipped in Hadoop. When JMSAppender is not enabled, Hadoop is not vulnerable to the attack. Review comment: ```suggestion JMSAppender in Log4j 1.2, used by all versions of Apache Hadoop, is vulnerable to the Log4JShell attack in a similar fashion to CVE-2021-44228. However, the JMSAppender is not the default configuration shipped in Hadoop. When JMSAppender is not enabled, Hadoop is not vulnerable to the attack. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
