ctubbsii commented on issue #418: URL: https://github.com/apache/fluo-muchos/issues/418#issuecomment-994828981
Muchos is an internal tool used by developers of Fluo/Accumulo for cluster testing. It is not "released" software from the ASF, and as such, the Fluo PMC cannot recommend it be used in production or anywhere outside a development environment where it could be exposed to an attacker trying to exploit that CVE or any other. For the developer use cases it was written for, the tool only deploys software under the explicit control of the developer. If the developer wishes to deploy vulnerable code for the purposes of testing, that is an acceptable use case. Muchos itself doesn't depend on, or deploy log4j for its own purposes, but only deploys it as part of whatever version of Accumulo, Fluo, Hadoop, ZooKeeper, etc., that it was instructed to deploy. If those versions include a vulnerable version, they should be updated upstream. Muchos shouldn't modify them, but should deploy what it is instructed to deploy. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
