xuting created RATIS-1499:
-----------------------------
Summary: Is Apache Ratis 2.2.0 affected by the high-risk
vulnerability of the log4j 1.X series?
Key: RATIS-1499
URL: https://issues.apache.org/jira/browse/RATIS-1499
Project: Ratis
Issue Type: Bug
Affects Versions: 2.2.0
Reporter: xuting
Hello! I see that log4j 1.2.17 is used in Apache Ratis 2.2.0, and log4j 1.2.17
has three vulnerabilities: CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307.
Is Apache Ratis 2.2.0 affected by the high-risk vulnerability of the log4j ?
I searched the code of Ratis 2.2.0 and found that the JMSSink, JDBCAppender,
and Chainsaw vulnerabilities in log4j were not used in the code. Does this mean
Apache Ratis 2.2.0 is not affected by the log4j vulnerability?
And I see that the use of log4j has been deleted from the latest Ratis code.
When will a new version be released?
Thanks you for your answers!
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
