The hadoop.apache.org page is curiously silent about this, and there is no CVE. Isn't this library used in Hadoop? Pretty sure I saw log4j.properties somewhere. Can anybody shed some light on the vulnerability of a Hadoop installation? Can it be exploited via RPC? The HDFS or YARN web interface? The command line?
Thanks Rupert
