It should be mentioned that you don't need to wait for a new release of ZooKeeper to upgrade your own installations. You can simply swap out the log4j1.2 jar on your classpath with the reload4j jar.
On Tue, Mar 15, 2022 at 12:41 PM Enrico Olivelli <eolive...@gmail.com> wrote: > > You can update to ZooKeeper 3.8.0 > it brings LogBack and we removed Log4j 1 > > For the older branches (3.6 and 3.7) we are trying to move to reload4j > > Enrico > > Il giorno mar 15 mar 2022 alle ore 17:21 Yoni Dayan > <yo...@nvidia.com.invalid> ha scritto: > > > > Hello Zookeeper team , > > Can you please update when (on which release) will Zookeeper be upgraded to > > latest Log4J release? > > Current version that it uses (1.X) exposes Zookeeper users to the following > > CVE-s: > > > > * Critical > > * CVE-2019-17571<https://nvd.nist.gov/vuln/detail/CVE-2019-17571> > > * CVE-2022-23305<https://nvd.nist.gov/vuln/detail/CVE-2022-23305> > > * CVE-2022-23307<https://nvd.nist.gov/vuln/detail/CVE-2022-23307> > > * High > > * CVE-2022-23302<https://nvd.nist.gov/vuln/detail/CVE-2022-23302> > > * CVE-2021-4104<https://nvd.nist.gov/vuln/detail/CVE-2021-4104> > > * Low > > * CVE-2020-9488<https://nvd.nist.gov/vuln/detail/CVE-2020-9488> > > > > Regards, > > Yoni Dayan > > Sr. Manager | SW > > +972-74-7129344 > > NVIDIA<http://www.nvidia.com/> > >
