[
https://issues.apache.org/jira/browse/ZOOKEEPER-4431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17469059#comment-17469059
]
Samuel Lim commented on ZOOKEEPER-4431:
---------------------------------------
Hello, would appreciate if we could give this a priority due to log4j 1.x are
out of support since August 2015 and there are many security patches has been
rolled out since then. Looking forward to hear from the community and
contributors. Thanks.
> Log4j vulnerabilities in Apache zookeeper
> -----------------------------------------
>
> Key: ZOOKEEPER-4431
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4431
> Project: ZooKeeper
> Issue Type: Bug
> Affects Versions: 3.6.2
> Environment: Prod
> Reporter: lekshmi anandakrishnan
> Priority: Critical
>
> Please confirm whether apache zookeeper 3.6.2 has any impact on the below
> log4j CVE`s. Apache zookeeper uses log4j 1.2.17 and since Log4J 1.X version
> is an end of life in Aug 2015 which is vulnerable already.
>
> |CVE ID|Title|
> |CVE-2021-4104 (1.X)|Apache Log4j 1.2 Remote Code Execution Vulnerability|
> |CVE-2021-45105 (2.X)|Apache Log4j Remote Code Execution (RCE) Vulnerability
> (Log4Shell)|
> |CVE-2021-45046 (2.X)|Apache Log4j Remote Code Execution (RCE) Vulnerability
> (CVE-2021-45046)|
> |CVE-2021-44228(2.X)|Apache Log4j Remote Code Execution (RCE) Vulnerability
> (Log4Shell)|
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
