[
https://issues.apache.org/jira/browse/ZOOKEEPER-3677?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17010162#comment-17010162
]
Enrico Olivelli commented on ZOOKEEPER-3677:
--------------------------------------------
It looks like there is no fix in log4j and that the 1.x release branch is EOL.
We should drop it and use another logging implementation.
I feel the impact will be too big for this to be done in 3.6.0 as users will
have to change their configuration files for logging.
As we are not affected we could add an exclusion for 3.6 and move to log4j 2.x
in 3.7 (or logback)
On the other side it is possible that 3.6 will stay for quite a log time and I
don't know if we want to change the log framework on some 3.6.xy due to another
issue in log4j that we can't ignore.
> owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization
> of untrusted data in SocketServer
> -------------------------------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-3677
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3677
> Project: ZooKeeper
> Issue Type: Bug
> Components: security
> Reporter: Patrick D. Hunt
> Priority: Major
>
> Doesn't look like this impacts us (we don't use SocketServer) however we
> should figure out what to do as the owasp checker is failing and the rating
> is quite high (9.8 - bound to get interest)
> https://nvd.nist.gov/vuln/detail/CVE-2019-17571
> Perhaps ZOOKEEPER-2342 should be prioritized.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
