fbin87 opened a new issue #14993: URL: https://github.com/apache/shardingsphere/issues/14993
On January 20, 2022, PSIRT monitoring found that Apache officially released the risk notice of Log4j (version 1.x), the vulnerability numbers are CVE-2022-23302, CVE-2022-23305, CVE-2022-23307. Vulnerability Rating: Critical, Vulnerability Score: 9.8. These vulnerabilities only affect Log4j 1.x versions, and Log4j 2 versions are not affected. After analysis, it was found that the log4j 1.x version was passively dependenced through zookeeper and other modules in the sharding source code. mvn tree: [INFO] +- org.apache.curator:curator-client:jar:2.10.0:compile [INFO] | \- org.apache.zookeeper:zookeeper:jar:3.4.6:compile [INFO] | +- log4j:log4j:jar:1.2.16:compile [INFO] | \- jline:jline:jar:0.9.94:compile [INFO] | +- org.springframework.boot:spring-boot-starter-logging:jar:1.5.22.RELEASE:provided [INFO] | | +- org.slf4j:jul-to-slf4j:jar:1.7.7:provided [INFO] | | \- org.slf4j:log4j-over-slf4j:jar:1.7.26:provided Will sharding versions 4.1.1 and 3.1.0 be affected? If so, is there an upgrade plan? Waiting for the reply eagerly. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
