[
https://issues.apache.org/jira/browse/BEAM-11055?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17226294#comment-17226294
]
Ismaël Mejía commented on BEAM-11055:
-------------------------------------
[~znick] I was investigating this today with slow progress. This update exposed
an unseen bug on the Hive module. If things go well we could eventually catch
this one for the next release 2.26.0 who is going to be cut this week,
otherwise hopefully we would have this one out after that release.
Note that Beam is using log4j only as a runtime dependency for the tests so
there should be no concern as a user. This looks more like a false positive but
better ot have the dependencies updated and clean.
> Update log4j to version 2.13.3
> ------------------------------
>
> Key: BEAM-11055
> URL: https://issues.apache.org/jira/browse/BEAM-11055
> Project: Beam
> Issue Type: Improvement
> Components: build-system, io-java-elasticsearch
> Reporter: Ismaël Mejía
> Assignee: Ismaël Mejía
> Priority: P2
> Time Spent: 2h 40m
> Remaining Estimate: 0h
>
> Beam uses a version of log4j that is reported by some security tools to have
> some security issues. Notice that Beam's use of log4j should not be impacted
> by the issue.
> See [https://nvd.nist.gov/vuln/detail/CVE-2017-5645]
> The update in the vendored grpc module is to ensure it gets updated too in a
> future release of our vendored dependencies. Notice that this is a runtime
> dep for users so they are free to provide their own version so less of an
> issue.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
