[
https://issues.apache.org/jira/browse/KYLIN-5144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17464315#comment-17464315
]
Yaqian Zhang commented on KYLIN-5144:
-------------------------------------
Hi [~sonuSINGH]:
I discussed this issue with other developers in the community. Finally, we
thought that since we only referenced avatica in kylin's POM, we did not
package avatica and its reference components, and did not use avatica's log
related functions, kylin's reference to avatica will not introduce the security
vulnerability of log4j into kylin.
In order to maintain the stability of kylin function as much as possible, we
will not consider upgrading avatica for the time being.
It's a pity you can't raise this PR, but you can use the upgraded avatica on
your local environment first.
> Apache Calcite Avatica is affected from log4j CVE-2021-44228.
> -------------------------------------------------------------
>
> Key: KYLIN-5144
> URL: https://issues.apache.org/jira/browse/KYLIN-5144
> Project: Kylin
> Issue Type: Improvement
> Components: Others
> Affects Versions: v3.1.3
> Reporter: Sonu Kumar Singh
> Assignee: Sonu Kumar Singh
> Priority: Major
> Fix For: v3.1.4
>
> Attachments: image-2021-12-21-15-08-37-651.png
>
>
> As per Apache Blogs (https://blogs.apache.org/security/entry/cve-2021-44228),
> Apache Calcite Avatica is affected from log4j CVE-2021-44228 and there is a
> suggestion from the Apache Calcite team to upgrade Apache Calcite Avatica to
> 1.20.0 (https://lists.apache.org/thread/3vn3j4fmr2dn9s0x1604pdxz7x4fo8wz)
> !image-2021-12-21-15-08-37-651.png|thumbnail!
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
