[
https://issues.apache.org/jira/browse/ZOOKEEPER-4423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457347#comment-17457347
]
Patrick D. Hunt commented on ZOOKEEPER-4423:
--------------------------------------------
We use log4j v1 still, as such I don't believe this JIRA is valid. See
ZOOKEEPER-2342
[~svudutala] am I missing something here? The CVE is for log4j2 last I checked.
https://access.redhat.com/security/cve/cve-2021-44228
"This issue only affects log4j versions between 2.0 and 2.14.1"
also
"Due to the existence of JMS Appender which can use JNDI in the log4j 1.x, it
is possible that log4j version 1.x is also affected by this vulnerability. The
impact is still under investigation."
afaict we (zk). are not using any jms appender.
> Upgrade Log4j to 2.15.0 - CVE-2021-44228
> ----------------------------------------
>
> Key: ZOOKEEPER-4423
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4423
> Project: ZooKeeper
> Issue Type: Task
> Affects Versions: 3.6.0, 3.6.3, 3.7.0, 3.6.1, 3.6.2, 3.6.4
> Reporter: Sai Kiran Vudutala
> Priority: Major
>
> Log4j has an RCE vulnerability, see
> [https://www.lunasec.io/docs/blog/log4j-zero-day/]
> References.
> [https://github.com/advisories/GHSA-jfh8-c2jp-5v3q]
> [https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126]
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
