[
https://issues.apache.org/jira/browse/MESOS-10234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17467229#comment-17467229
]
Charles Natali commented on MESOS-10234:
----------------------------------------
Hi [~snalkar]
Sorry for the delay, but Mesos has very little resources, and holiday season
doesn't help.
I've had a quick look, and log4j only seems to be used for tests - Mesos is
mostly written in C++, so it's not surprising.
It's possible it's used in some third-party dependencies included, but I'd be
surprised if it was exploitable.
I'll have a more thorough look after the holidays.
Cheers,
> CVE-2021-44228 Log4j vulnerability for apache mesos
> ---------------------------------------------------
>
> Key: MESOS-10234
> URL: https://issues.apache.org/jira/browse/MESOS-10234
> Project: Mesos
> Issue Type: Bug
> Components: build
> Affects Versions: 1.11.0
> Reporter: Sangita Nalkar
> Priority: Critical
>
> Hi,
> Wanted to know if CVE-2021-44228 Log4j vulnerability is affecting Apache
> mesos.
> We see that log4j v1.2.17 is used while building apache mesos from source.
> Snippet from build logs:
> std=c++11 -MT jvm/org/apache/libjava_la-log4j.lo -MD -MP -MF
> jvm/org/apache/.deps/libjava_la-log4j.Tpo -c
> ../../src/jvm/org/apache/log4j.cpp -fPIC -DPIC -o
> jvm/org/apache/.libs/libjava_la-log4j.o
> Thanks,
> Sangita
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
