[
https://issues.apache.org/jira/browse/KYLIN-5144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17464954#comment-17464954
]
Yaqian Zhang commented on KYLIN-5144:
-------------------------------------
Hi [~sonuSINGH], sorry for late. Kylin did package avatica's jar package, but
kylin did not introduce the dependency of log4j2 by loading avatica's jar
package.
> Apache Calcite Avatica is affected from log4j CVE-2021-44228.
> -------------------------------------------------------------
>
> Key: KYLIN-5144
> URL: https://issues.apache.org/jira/browse/KYLIN-5144
> Project: Kylin
> Issue Type: Improvement
> Components: Others
> Affects Versions: v3.1.3
> Reporter: Sonu Kumar Singh
> Assignee: Sonu Kumar Singh
> Priority: Major
> Fix For: v3.1.4
>
> Attachments: image-2021-12-21-15-08-37-651.png, screenshot-1.png
>
>
> As per Apache Blogs (https://blogs.apache.org/security/entry/cve-2021-44228),
> Apache Calcite Avatica is affected from log4j CVE-2021-44228 and there is a
> suggestion from the Apache Calcite team to upgrade Apache Calcite Avatica to
> 1.20.0 (https://lists.apache.org/thread/3vn3j4fmr2dn9s0x1604pdxz7x4fo8wz)
> !image-2021-12-21-15-08-37-651.png|thumbnail!
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
