[ https://issues.apache.org/jira/browse/CASSANDRA-17434?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brandon Williams updated CASSANDRA-17434: ----------------------------------------- Resolution: Invalid Status: Resolved (was: Triage Needed) We haven't used log4j since CASSANDRA-5883. > CVE-2019-17571 from log4j 1.2.17 > -------------------------------- > > Key: CASSANDRA-17434 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17434 > Project: Cassandra > Issue Type: Improvement > Reporter: Donatello > Priority: Normal > > "cassandra:4.0.3" image scanning reveals critical vulnerability due to > dependency on log4j 1.2.17: > CVE-2019-17571 / CWE-502 Deserialization of Untrusted Data > Could you please share your rationale of not upgrading log4j to 2.x > Thanks. -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org