Thanks Trevor; may be a good time to revive our online meetings to talk
through this one..
I could find time during the holiday break pretty much any day; if anyone
else is interested let us know if there's a good time to chat.
On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant
wrote:
> Many of you have probably become aware of Log4j's vulnerability to
> CVE-2021-44228 recently.
>
> Though Mahout is a sleepy project, we are vigilant and want you to know we
> are aware of the issue and have been monitoring.
>
> First, let me assure you that since Mahout (like over 90% of log4j users)
> is on version 1.x it is not vulnerable to the JDNI remote execution attack
> [1]. That said, 1.x was set for EOL in 2015, so it's probably time to
> update that. I've made a JIRA ticket (MAHOUT-2140)[2].
>
> The update isn't too complex, but it's also not trivial, and most
> importantly it's not critical so you're not endangering anything running
> Mahout, and we'll hopefully get it in for the next release in a couple of
> months.
>
> Hope this helps everyone feel secure going into their holiday season.
>
> ~Trevor
>
> [1] http://slf4j.org/log4shell.html
> [2] https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140
>
