[
https://issues.apache.org/jira/browse/RATIS-1499?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
xuting resolved RATIS-1499.
---------------------------
Resolution: Fixed
> Is Apache Ratis 2.2.0 affected by the high-risk vulnerability of the log4j
> 1.X series?
> --------------------------------------------------------------------------------------
>
> Key: RATIS-1499
> URL: https://issues.apache.org/jira/browse/RATIS-1499
> Project: Ratis
> Issue Type: Bug
> Affects Versions: 2.2.0
> Reporter: xuting
> Priority: Blocker
>
> Hello! I see that log4j 1.2.17 is used in Apache Ratis 2.2.0, and log4j
> 1.2.17 has three vulnerabilities: CVE-2022-23302, CVE-2022-23305, and
> CVE-2022-23307.
> Is Apache Ratis 2.2.0 affected by the high-risk vulnerability of the log4j ?
> I searched the code of Ratis 2.2.0 and found that the JMSSink, JDBCAppender,
> and Chainsaw vulnerabilities in log4j were not used in the code. Does this
> mean Apache Ratis 2.2.0 is not affected by the log4j vulnerability?
> And I see that the use of log4j has been deleted from the latest Ratis code.
> When will a new version be released?
> Thanks you for your answers!
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
