[
https://issues.apache.org/jira/browse/AVRO-3304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17475560#comment-17475560
]
Ryan Skraba commented on AVRO-3304:
-----------------------------------
Hello! If you are referring to the recent Log4shell/Log4jam RCE exploits, I
don't think avro-tools is vulnerable and this might be a false positive. The
(admittedly {_}ancient{_}) version of log4j that is bundled with avro-tools is
not affected by these CVEs.
That being said, we really should move forward to a modern version of log4j –
I'm OK with sl4j-simple, especially if we can avoid any changes to the
[pattern|[https://github.com/apache/avro/blob/70260919426f89825ca148f5ee815f3b2cf4764d/lang/java/tools/src/main/resources/log4j.properties#L22].]
As an alternative, there's also log4j-slf4j-impl which should be a drop-in
replacement.
> avro-tools Update log4j dependency for critical vulnerability
> -------------------------------------------------------------
>
> Key: AVRO-3304
> URL: https://issues.apache.org/jira/browse/AVRO-3304
> Project: Apache Avro
> Issue Type: Task
> Components: tools
> Affects Versions: 1.11.0
> Reporter: Daniel Nash
> Priority: Major
>
> Our company security is having a fit because Nessus scans are triggering on
> the bundled log4j in the avro-tools.jar. Please update the log4j
> dependencies to the latest versions to remove the critical vulnerability
> present in the currently bundled log4j.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
