I agree. Meanwhile if the log4j version is v2.1 or greater, we should add the following runtime workaround in the Apache Bigtop site for the current release. set "-Dlog4j2.formatMsgNoLookups=true" to JVM at runtime.
On Sat, Dec 11, 2021 at 5:22 AM Luca Toscano (Jira) <[email protected]> wrote: > Luca Toscano created BIGTOP-3613: > ------------------------------------ > > Summary: Review log4j configurations for CVE-2021-44228 > Key: BIGTOP-3613 > URL: https://issues.apache.org/jira/browse/BIGTOP-3613 > Project: Bigtop > Issue Type: Sub-task > Affects Versions: 3.1.0 > Reporter: Luca Toscano > > > Due to CVE-2021-44228, it would be great to avoid shipping 3.1 with the > affected log4j versions, or alternatively to apply the workarounds to patch > the issue (like -Dlog4j2.formatMsgNoLookups=true etc..) > > More info: https://github.com/advisories/GHSA-jfh8-c2jp-5v3q > > > > -- > This message was sent by Atlassian Jira > (v8.20.1#820001) >
