[ https://issues.apache.org/jira/browse/MESOS-10234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17467338#comment-17467338 ]
Andrei Sekretenko commented on MESOS-10234: ------------------------------------------- Talking about production code - I don't see how agent/master could be affected; the only potentially affected thing are the Java scheduler libraries. On a first glance there, it indeed looks like scheduler libraries do not use log4j. Which would mean that only example frameworks and tests might be affected. > CVE-2021-44228 Log4j vulnerability for apache mesos > --------------------------------------------------- > > Key: MESOS-10234 > URL: https://issues.apache.org/jira/browse/MESOS-10234 > Project: Mesos > Issue Type: Bug > Components: build > Affects Versions: 1.11.0 > Reporter: Sangita Nalkar > Priority: Critical > > Hi, > Wanted to know if CVE-2021-44228 Log4j vulnerability is affecting Apache > mesos. > We see that log4j v1.2.17 is used while building apache mesos from source. > Snippet from build logs: > std=c++11 -MT jvm/org/apache/libjava_la-log4j.lo -MD -MP -MF > jvm/org/apache/.deps/libjava_la-log4j.Tpo -c > ../../src/jvm/org/apache/log4j.cpp -fPIC -DPIC -o > jvm/org/apache/.libs/libjava_la-log4j.o > Thanks, > Sangita -- This message was sent by Atlassian Jira (v8.20.1#820001)