Hello,
Just confirmed that, yes we are using log4j version 1. However, our
suggested deployment of docker and kubernetes uses Bookeeper 4.13.0
which is vulnerable to the log4shell. There is no official release for
Apache Bookeeper yet, we need to bump the version in the file when they
got the official.
Regards J,
*Windham Wong*
OSWE, OSCP, GCIA, Specialist in Cybersecurity
Co-Founder, Managing Partner of
*Stormeye.io, Hong Kong Managed Security Operation Center Limited*
Specialist in Cybersecurity, Log Management and SIEM System
<https://www.stormeye.io>
Email // [email protected]
Phone // +852_3590_2212_|_+852_9832_0707 <tel:+85235902212>
Fax // +852_3590_2202 <tel:+852_3590_2202>
On 11/12/2021 18:00, H W wrote:
"It is CVE-2021-44228 and affects version 2 of log4j between versions
2.0-beta-9 and 2.14.1. It is not present in version 1 of log4j and is
patched in 2.15.0."
It seems our log4j is old enough and is not affected .. Correct me if I am
wrong.
Better to upgrade it to 2.15.0 though.
On Sat, Dec 11, 2021 at 1:52 AM H W<[email protected]> wrote:
The current version in maven_install.json is 1.2. We need >2.15.0 if I
understand correctly
On Sat, Dec 11, 2021 at 1:44 AM Ning Wang<[email protected]> wrote:
Are we using this library in Heron? We need to upgrade it ASAP if we do.
