[jira] [Comment Edited] (AVRO-3304) avro-tools Update log4j dependency for critical vulnerability

Thu, 13 Jan 2022 09:55:08 -0800 


    [ 
https://issues.apache.org/jira/browse/AVRO-3304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17475560#comment-17475560
 ] 

Ryan Skraba edited comment on AVRO-3304 at 1/13/22, 5:54 PM:
-------------------------------------------------------------

Hello!  If you are referring to the recent Log4shell/Log4jam RCE exploits, I 
don't think avro-tools is vulnerable and this might be a false positive.  The 
(admittedly {_}ancient{_}) version of log4j that is bundled with avro-tools is 
not affected by these CVEs.

That being said, we really should move forward to a modern version of log4j -– 
I'm OK with sl4j-simple, especially if we can avoid any changes to the 
[pattern|#L22].]-  As an alternative, there's also log4j-slf4j-impl which 
should be a drop-in replacement.

I've already changed my mind about this – I suspect that if anyone really cares 
about the logging pattern, they can (and probably should) repackage the 
uber-jar with the own log4j.properties and artifacts they want.


was (Author: ryanskraba):
Hello!  If you are referring to the recent Log4shell/Log4jam RCE exploits, I 
don't think avro-tools is vulnerable and this might be a false positive.  The 
(admittedly {_}ancient{_}) version of log4j that is bundled with avro-tools is 
not affected by these CVEs.

That being said, we really should move forward to a modern version of log4j – 
I'm OK with sl4j-simple, especially if we can avoid any changes to the 
[pattern|[https://github.com/apache/avro/blob/70260919426f89825ca148f5ee815f3b2cf4764d/lang/java/tools/src/main/resources/log4j.properties#L22].]
  As an alternative, there's also log4j-slf4j-impl which should be a drop-in 
replacement.

> avro-tools Update log4j dependency for critical vulnerability
> -------------------------------------------------------------
>
>                 Key: AVRO-3304
>                 URL: https://issues.apache.org/jira/browse/AVRO-3304
>             Project: Apache Avro
>          Issue Type: Task
>          Components: tools
>    Affects Versions: 1.11.0
>            Reporter: Daniel Nash
>            Priority: Major
>
> Our company security is having a fit because Nessus scans are triggering on 
> the bundled log4j in the avro-tools.jar.  Please update the log4j 
> dependencies to the latest versions to remove the critical vulnerability 
> present in the currently bundled log4j.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to