[
https://issues.apache.org/jira/browse/BEAM-11055?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17249129#comment-17249129
]
Beam JIRA Bot commented on BEAM-11055:
--------------------------------------
This issue is assigned but has not received an update in 30 days so it has been
labeled "stale-assigned". If you are still working on the issue, please give an
update and remove the label. If you are no longer working on the issue, please
unassign so someone else may work on it. In 7 days the issue will be
automatically unassigned.
> Update log4j to version 2.14.0
> ------------------------------
>
> Key: BEAM-11055
> URL: https://issues.apache.org/jira/browse/BEAM-11055
> Project: Beam
> Issue Type: Improvement
> Components: build-system, io-java-elasticsearch
> Reporter: Ismaël Mejía
> Assignee: Ismaël Mejía
> Priority: P2
> Labels: stale-assigned
> Time Spent: 6h 10m
> Remaining Estimate: 0h
>
> Beam uses a version of log4j that is reported by some security tools to have
> some security issues. Notice that Beam's use of log4j should not be impacted
> by the issue.
> See [https://nvd.nist.gov/vuln/detail/CVE-2017-5645]
> The update in the vendored grpc module is to ensure it gets updated too in a
> future release of our vendored dependencies. Notice that this is a runtime
> dep for users so they are free to provide their own version so less of an
> issue.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
