[
https://issues.apache.org/jira/browse/AVRO-3304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17477371#comment-17477371
]
Daniel Nash edited comment on AVRO-3304 at 1/17/22, 7:16 PM:
-------------------------------------------------------------
[~rskraba] , we are using the avro-tool jar directly for IDL generation from
avdl files. We are then generating C# code from that.
I know there is absolutely no way our use can be exploited by these
vulnerabilities, but the security people only care that their scanners are
triggering. Plus, there are some other CVEs that are present in the jar that
also need to be dealt with by an update.
was (Author: JIRAUSER283548):
[~rskraba] , we are using the avro-tool jar directly for IDL generation from
avdl files. We are then generating the C# code from that.
I know there is absolutely no way our use can be exploited by these
vulnerabilities, but the security people only care that their scanners are
triggering. Plus, there are some other CVEs that are present in the jar that
also need to be dealt with by an update.
> avro-tools Update log4j dependency for critical vulnerability
> -------------------------------------------------------------
>
> Key: AVRO-3304
> URL: https://issues.apache.org/jira/browse/AVRO-3304
> Project: Apache Avro
> Issue Type: Task
> Components: tools
> Affects Versions: 1.11.0
> Reporter: Daniel Nash
> Assignee: Ryan Skraba
> Priority: Major
> Labels: pull-request-available
> Time Spent: 50m
> Remaining Estimate: 0h
>
> Our company security is having a fit because Nessus scans are triggering on
> the bundled log4j in the avro-tools.jar. Please update the log4j
> dependencies to the latest versions to remove the critical vulnerability
> present in the currently bundled log4j.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
