[
https://issues.apache.org/jira/browse/ARROW-15058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17461518#comment-17461518
]
David Dali Susanibar Arce commented on ARROW-15058:
---------------------------------------------------
Hi Team
Log4J 2.x \{15,16} are discovering more vector attacks.
Log4J 2.x is not mandatory and needed by arrow-performance. I delete that
dependency and compile and execute the code and it is worked as expected
Please [~fan_li_ya] / [~ana4] let me know if we could move with delete than
dependency as suggested at [https://github.com/apache/arrow/pull/11966]
> [Java] Update log4j2 version to 2.15.0 in performance module
> ------------------------------------------------------------
>
> Key: ARROW-15058
> URL: https://issues.apache.org/jira/browse/ARROW-15058
> Project: Apache Arrow
> Issue Type: Improvement
> Components: Java
> Affects Versions: 6.0.1
> Reporter: Ada Wong
> Assignee: Liya Fan
> Priority: Critical
> Labels: pull-request-available
> Time Spent: 20m
> Remaining Estimate: 0h
>
> 2.0 <= Apache log4j2 <= 2.14.1 have a RCE zero day.
> [https://logging.apache.org/log4j/2.x/security.html]
> [https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html]
> [https://www.lunasec.io/docs/blog/log4j-zero-day/]
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
