[
https://issues.apache.org/jira/browse/HADOOP-18053?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Takanobu Asanuma resolved HADOOP-18053.
---------------------------------------
Resolution: Duplicate
I'm closing this ticket as it is a duplicate of HADOOP-12956.
> Apache Hadoop support for log4j >= 2.17
> ---------------------------------------
>
> Key: HADOOP-18053
> URL: https://issues.apache.org/jira/browse/HADOOP-18053
> Project: Hadoop Common
> Issue Type: Improvement
> Components: common
> Affects Versions: 2.10.1
> Reporter: Ron
> Priority: Blocker
>
> Federal Agencies are being given [CISA|https://www.cisa.gov/] directives
> requiring allĀ agencies to upgrade log4j 1.x applications to versions
> supporting log4j version 2.16.0 or higher (as of last Friday) or remove the
> jar files from our machines.
> 1.x versions of log4j are EOL, are vulnerable to multiple existing CVEs (9.8
> Critical severity RCE<[https://nvd.nist.gov/vuln/detail/CVE-2019-17571]> and
> 8.1 High severity RCE<[https://nvd.nist.gov/vuln/detail/CVE-2021-4104]>), and
> due to increased scrutiny have already had a new CVE reported this week
> ([https://nvd.nist.gov/vuln/detail/CVE-2021-4104]<(https:/nvd.nist.gov/vuln/detail/CVE-2021-4104>).
> The CISA guidance will continue to grow and improve overtime, and as of
> Friday 12/17/2021 CISA stated that log4j needs to be upgraded to 2.16.0 or
> higher.
> I'm afraid Apache's statement
> <https://hadoop.apache.org/news/2021-12-17-log4jshell.html> will not meet the
> federal requirement. Please consider this an urgent request to release
> updated versions of Hadoop 2.x / 3.x which support log4j 2.17 or higher.
> Patches or workarounds would be helpful in the short term.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
