[
https://issues.apache.org/jira/browse/ZOOKEEPER-4423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458522#comment-17458522
]
Patrick D. Hunt edited comment on ZOOKEEPER-4423 at 12/13/21, 4:32 PM:
-----------------------------------------------------------------------
The general consensus is that 1.x, which zk uses through all versions, is not
impacted as long as jms appender is not used, which we don't.
The original cve page published by redhat is updated :
https://access.redhat.com/security/cve/cve-2021-44228
and now links to https://access.redhat.com/security/cve/CVE-2021-4104
was (Author: phunt):
The general consensus is that 1.x, which zk uses through all versions, is not
impacted as long as jms appender is not used, which we don't.
The original cve page is updated :
https://access.redhat.com/security/cve/cve-2021-44228
and now links to https://access.redhat.com/security/cve/CVE-2021-4104
> Upgrade Log4j to 2.15.0 - CVE-2021-44228
> ----------------------------------------
>
> Key: ZOOKEEPER-4423
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4423
> Project: ZooKeeper
> Issue Type: Task
> Affects Versions: 3.6.0, 3.6.3, 3.7.0, 3.6.1, 3.6.2, 3.6.4
> Reporter: Sai Kiran Vudutala
> Priority: Major
>
> Log4j has an RCE vulnerability, see
> [https://www.lunasec.io/docs/blog/log4j-zero-day/]
> References.
> [https://github.com/advisories/GHSA-jfh8-c2jp-5v3q]
> [https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126]
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
