Re: Log4j vulnerability

2022-01-11 Thread Anthony Grasso
Hi Arvinder, You are correct; tlp-stress includes Log4j as one of its libraries and users will need to update the JAR file. On 16th December 2021, tlp-stress was updated [1] to include Log4j 2.16.0 which fixed CVE-2021-45046. Version 5.0.0 was released which included this change. Unfortunately,

Re: Log4j vulnerability

2022-01-10 Thread Arvinder Dhillon
If anyone uses tlp-stress tool, it uses Log4j. It might not be in use most of the time, you might want to remove/upgrade the jar. On Mon, Dec 13, 2021 at 3:58 PM Bowen Song wrote: > Do you mean the log4j-over-slf4j-#.jar? If so, please read: > http://slf4j.org/log4shell.html > > On 13/12/2021

Re: Log4j vulnerability

2021-12-13 Thread Bowen Song
Do you mean the log4j-over-slf4j-#.jar? If so, please read: http://slf4j.org/log4shell.html On 13/12/2021 23:48, Rahul Reddy wrote: Hello, I see this jar  log4j-over-slf4j-1.7.7.jar does it have any impact on it? Why that jar is used for ? On Sat, Dec 11, 2021 at 12:45 PM Brandon

Re: Log4j vulnerability

2021-12-13 Thread Rahul Reddy
Hello, I see this jar log4j-over-slf4j-1.7.7.jar does it have any impact on it? Why that jar is used for ? On Sat, Dec 11, 2021 at 12:45 PM Brandon Williams wrote: > https://issues.apache.org/jira/browse/CASSANDRA-5883 > > As that ticket shows, Apache Cassandra has never used log4j2. > >

Re: Log4j vulnerability

2021-12-12 Thread Stefan Miklosovic
Hi users, I just add to it that there was recently added a dependency check ant target (by myself) to scan the deps on CVE's. People can execute that themselves by "ant dependency-check" and it will scan the database of vulnerabilities automatically against Cassandra libraries we ship. Regards

Re: Log4j vulnerability

2021-12-11 Thread Brandon Williams
https://issues.apache.org/jira/browse/CASSANDRA-5883 As that ticket shows, Apache Cassandra has never used log4j2. On Sat, Dec 11, 2021 at 11:07 AM Abdul Patel wrote: > > Hi all, > > Any idea if any of open source Cassandra versions are impacted with log4j > vulnerability which was reported on

Re: Log4j vulnerability

2021-12-11 Thread James Brown
As far as I can tell, cassandra uses logback, not log4j2, so it shouldn't be affected. The logback website , in fact, now has some quite snarky language differentiating it from log4j2. On Sat, Dec 11, 2021 at 9:07 AM Abdul Patel wrote: > Hi all, > > Any idea if any of