[ https://issues.apache.org/jira/browse/HADOOP-18053?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Takanobu Asanuma resolved HADOOP-18053. --------------------------------------- Resolution: Duplicate I'm closing this ticket as it is a duplicate of HADOOP-12956. > Apache Hadoop support for log4j >= 2.17 > --------------------------------------- > > Key: HADOOP-18053 > URL: https://issues.apache.org/jira/browse/HADOOP-18053 > Project: Hadoop Common > Issue Type: Improvement > Components: common > Affects Versions: 2.10.1 > Reporter: Ron > Priority: Blocker > > Federal Agencies are being given [CISA|https://www.cisa.gov/] directives > requiring allĀ agencies to upgrade log4j 1.x applications to versions > supporting log4j version 2.16.0 or higher (as of last Friday) or remove the > jar files from our machines. > 1.x versions of log4j are EOL, are vulnerable to multiple existing CVEs (9.8 > Critical severity RCE<[https://nvd.nist.gov/vuln/detail/CVE-2019-17571]> and > 8.1 High severity RCE<[https://nvd.nist.gov/vuln/detail/CVE-2021-4104]>), and > due to increased scrutiny have already had a new CVE reported this week > ([https://nvd.nist.gov/vuln/detail/CVE-2021-4104]<(https:/nvd.nist.gov/vuln/detail/CVE-2021-4104>). > The CISA guidance will continue to grow and improve overtime, and as of > Friday 12/17/2021 CISA stated that log4j needs to be upgraded to 2.16.0 or > higher. > I'm afraid Apache's statement > <https://hadoop.apache.org/news/2021-12-17-log4jshell.html> will not meet the > federal requirement. Please consider this an urgent request to release > updated versions of Hadoop 2.x / 3.x which support log4j 2.17 or higher. > Patches or workarounds would be helpful in the short term. -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org