Ron created HADOOP-18053:
----------------------------
Summary: Apache Hadoop support for log4j >= 2.17
Key: HADOOP-18053
URL: https://issues.apache.org/jira/browse/HADOOP-18053
Project: Hadoop Common
Issue Type: Improvement
Components: common
Affects Versions: 2.10.1
Reporter: Ron
Federal Agencies are being given [CISA|https://www.cisa.gov/] directives
requiring allĀ agencies to upgrade log4j 1.x applications to versions
supporting log4j version 2.16.0 or higher (as of last Friday) or remove the jar
files from our machines.
1.x versions of log4j are EOL, are vulnerable to multiple existing CVEs (9.8
Critical severity RCE<[https://nvd.nist.gov/vuln/detail/CVE-2019-17571]> and
8.1 High severity RCE<[https://nvd.nist.gov/vuln/detail/CVE-2021-4104]>), and
due to increased scrutiny have already had a new CVE reported this week
([https://nvd.nist.gov/vuln/detail/CVE-2021-4104]<(https:/nvd.nist.gov/vuln/detail/CVE-2021-4104>).
The CISA guidance will continue to grow and improve overtime, and as of Friday
12/17/2021 CISA stated that log4j needs to be upgraded to 2.16.0 or higher.
I'm afraid Apache's statement
<https://hadoop.apache.org/news/2021-12-17-log4jshell.html> will not meet the
federal requirement. Please consider this an urgent request to release updated
versions of Hadoop 2.x / 3.x which support log4j 2.17 or higher. Patches or
workarounds would be helpful in the short term.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
