You can update to ZooKeeper 3.8.0 it brings LogBack and we removed Log4j 1 For the older branches (3.6 and 3.7) we are trying to move to reload4j
Enrico Il giorno mar 15 mar 2022 alle ore 17:21 Yoni Dayan <yo...@nvidia.com.invalid> ha scritto: > > Hello Zookeeper team , > Can you please update when (on which release) will Zookeeper be upgraded to > latest Log4J release? > Current version that it uses (1.X) exposes Zookeeper users to the following > CVE-s: > > * Critical > * CVE-2019-17571<https://nvd.nist.gov/vuln/detail/CVE-2019-17571> > * CVE-2022-23305<https://nvd.nist.gov/vuln/detail/CVE-2022-23305> > * CVE-2022-23307<https://nvd.nist.gov/vuln/detail/CVE-2022-23307> > * High > * CVE-2022-23302<https://nvd.nist.gov/vuln/detail/CVE-2022-23302> > * CVE-2021-4104<https://nvd.nist.gov/vuln/detail/CVE-2021-4104> > * Low > * CVE-2020-9488<https://nvd.nist.gov/vuln/detail/CVE-2020-9488> > > Regards, > Yoni Dayan > Sr. Manager | SW > +972-74-7129344 > NVIDIA<http://www.nvidia.com/> >
