Dilip anand created ZOOKEEPER-4450:
--------------------------------------
Summary: Zookeeper 3.7.0 is using Vulnerable log4j of 1.2.17
Key: ZOOKEEPER-4450
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4450
Project: ZooKeeper
Issue Type: Bug
Components: audit
Affects Versions: 3.6.2, 3.7.0
Environment: Production
Reporter: Dilip anand
Assignee: Mohammad Arshad
Hello Team,
We are currently using Zookeeper of 3.4.6 and found the below log4j security
vulnarbilty.
The sad part is zookeeper is using too old log4j jar file and the fixed version
of log4j is 2.16.0.
Can we get the "log4j" fixed version of zookeeper as soon as possible to
include it in the production setup?
Nessus scan report::
---------------------
Path : /opt/zookeeper/zookeeper-3.4.10/bin/../lib/log4j-1.2.16.jar Installed
version : 1.2.16 Fixed version : 2.16.0
Path : /opt/zookeeper/zookeeper-3.4.10/contrib/rest/lib/log4j-1.2.15.jar
Installed version : 1.2.15 Fixed version : 2.16.0
Path : /opt/zookeeper/zookeeper-3.4.10/lib/log4j-1.2.16.jar Installed version :
1.2.16 Fixed version : 2.16.0
Regards,
Anandaa
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
