Hi, Given the widespread attention to the recent log4j vulnerability (CVE-2021-44228), I'd like to share an update from the Hadoop developer community regarding the incident.
As you probably know, Apache Hadoop depends on the log4j library to keep log files. The highlighted vulnerability CVE-2021-44228 affects log4j2 2.0-beta9 through 2.15.0. Hadoop has been using log4j 1.2.x in the last 10 years and therefore no release is affected by it. That said, another CVE CVE-2021-4104 states the JMSAppender in the 1.2.x log4j, which is used by Apache Hadoop, is vulnerable to the same attack. Fortunately, it is not configured by default and Hadoop does not enable it by default. For more information and mitigation, please check out Hadoop's CVE list page. https://hadoop.apache.org/cve_list.html Wei-Chiu