[
https://issues.apache.org/jira/browse/AVRO-3304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17477350#comment-17477350
]
Ryan Skraba commented on AVRO-3304:
-----------------------------------
Just for info: the Log4j version 1.2.17 dependency is also brought in by Hadoop
3.3.1 (the current stable version). I'm not sure there's much point in
removing our direct dependency while
https://issues.apache.org/jira/browse/HADOOP-12956 is still open.
It may be necessary to create an artifact of avro-tools that doesn't include
hadoop (which is used to access remote files on filesystems like HDFS).
[~DannyBoy2k] What do you think? Are you including avro-tool as a dependency
in your project, or is an installed jar triggering your scanner?
> avro-tools Update log4j dependency for critical vulnerability
> -------------------------------------------------------------
>
> Key: AVRO-3304
> URL: https://issues.apache.org/jira/browse/AVRO-3304
> Project: Apache Avro
> Issue Type: Task
> Components: tools
> Affects Versions: 1.11.0
> Reporter: Daniel Nash
> Assignee: Ryan Skraba
> Priority: Major
> Labels: pull-request-available
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Our company security is having a fit because Nessus scans are triggering on
> the bundled log4j in the avro-tools.jar. Please update the log4j
> dependencies to the latest versions to remove the critical vulnerability
> present in the currently bundled log4j.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
