In short, `log4j-api` and `log4j-to-slf4j` started to exist at 1.20, but it is already 2.15.
> On Dec 13, 2021, at 17:44, James Turton <dz...@apache.org> wrote: > > Dear user community > > You've probably heard about this severe vulnerability in the ubiquitous Log4j > library which was uncovered at the end of last week. Drill uses the slf4j > library for logging and our assessment is that existing versions of Drill are > not vulnerable because they do not include the affected component (Log4j > Core). Note that this is an informal assessment by developers in the > community, please consult an InfoSec professional if you require a formal > assessment. > > Drill does include a log4j-to-slf4j shim, and we did merge an update to this > component <https://github.com/apache/drill/pull/2403> since the Log4j project > bumped its version number when they patched Log4j Core, but we do not believe > that Drill installations without this update are vulnerable.//It will be > shipped with Drill 1.20 nonetheless. > > https://www.cve.org/CVERecord?id=CVE-2021-44228 > https://www.lunasec.io/docs/blog/log4j-zero-day/ > > Regards > > James Turton > Apache Drill Committer > <dzamo.vcf>
