[jira] [Commented] (RATIS-1499) Is Apache Ratis 2.2.0 affected by the high-risk vulnerability of the log4j 1.X series?

Sat, 22 Jan 2022 01:27:43 -0800 


    [ 
https://issues.apache.org/jira/browse/RATIS-1499?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17480388#comment-17480388
 ] 

Tsz-wo Sze commented on RATIS-1499:
-----------------------------------

Ratis uses slf4j-api with slf4j-log4j12 for printing logs in different log 
levels. We probably could just use Java System.out and System.err for 
simplicity and safety.
{quote}... found that the JMSSink, JDBCAppender, and Chainsaw vulnerabilities 
in log4j were not used in the code.
{quote}
You are right that all the components above were not use in Ratis's code.

We even try to exclude the problematic JMSAppender.class in our jars.
 - RATIS-1477. Exclude log4j JMSAppender.class in jar.

We probably will exclude the other problematic classes from our jars in the 
future.
{quote}Does this mean Apache Ratis 2.2.0 is not affected by the log4j 
vulnerability?
{quote}
I believe the answer is no – Ratis is NOT affected by the log4j 
vulnerabilities. I am not sure if there some 'clever' ways to configure log4j 
in Ratis so that it becomes vulnerable.

> Is Apache Ratis 2.2.0 affected by the high-risk vulnerability of the log4j 
> 1.X series?
> --------------------------------------------------------------------------------------
>
>                 Key: RATIS-1499
>                 URL: https://issues.apache.org/jira/browse/RATIS-1499
>             Project: Ratis
>          Issue Type: Bug
>    Affects Versions: 2.2.0
>            Reporter: xuting
>            Priority: Blocker
>
> Hello! I see that log4j 1.2.17 is used in Apache Ratis 2.2.0, and log4j 
> 1.2.17 has three vulnerabilities: CVE-2022-23302, CVE-2022-23305, and 
> CVE-2022-23307.
> Is Apache Ratis 2.2.0 affected by the high-risk vulnerability of the log4j ?
> I searched the code of Ratis 2.2.0 and found that the JMSSink, JDBCAppender, 
> and Chainsaw vulnerabilities in log4j were not used in the code. Does this 
> mean Apache Ratis 2.2.0 is not affected by the log4j vulnerability?
> And I see that the use of log4j has been deleted from the latest Ratis code. 
> When will a new version be released?
> Thanks you for your answers!



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to