[
https://issues.apache.org/jira/browse/ZOOKEEPER-4423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458522#comment-17458522
]
Patrick D. Hunt commented on ZOOKEEPER-4423:
--------------------------------------------
The general consensus is that 1.x, which zk uses through all versions, is not
impacted as long as jms appender is not used, which we don't.
The original cve page is updated :
https://access.redhat.com/security/cve/cve-2021-44228
and now links to https://access.redhat.com/security/cve/CVE-2021-4104
> Upgrade Log4j to 2.15.0 - CVE-2021-44228
> ----------------------------------------
>
> Key: ZOOKEEPER-4423
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4423
> Project: ZooKeeper
> Issue Type: Task
> Affects Versions: 3.6.0, 3.6.3, 3.7.0, 3.6.1, 3.6.2, 3.6.4
> Reporter: Sai Kiran Vudutala
> Priority: Major
>
> Log4j has an RCE vulnerability, see
> [https://www.lunasec.io/docs/blog/log4j-zero-day/]
> References.
> [https://github.com/advisories/GHSA-jfh8-c2jp-5v3q]
> [https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126]
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
