Many of you have probably become aware of Log4j's vulnerability to CVE-2021-44228 recently.
Though Mahout is a sleepy project, we are vigilant and want you to know we are aware of the issue and have been monitoring. First, let me assure you that since Mahout (like over 90% of log4j users) is on version 1.x it is not vulnerable to the JDNI remote execution attack [1]. That said, 1.x was set for EOL in 2015, so it's probably time to update that. I've made a JIRA ticket (MAHOUT-2140)[2]. The update isn't too complex, but it's also not trivial, and most importantly it's not critical so you're not endangering anything running Mahout, and we'll hopefully get it in for the next release in a couple of months. Hope this helps everyone feel secure going into their holiday season. ~Trevor [1] http://slf4j.org/log4shell.html [2] https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140
