Dear user community
You've probably heard about this severe vulnerability in the ubiquitous
Log4j library which was uncovered at the end of last week. Drill uses
the slf4j library for logging and our assessment is that existing
versions of Drill are not vulnerable because they do not include the
affected component (Log4j Core). Note that this is an informal
assessment by developers in the community, please consult an InfoSec
professional if you require a formal assessment.
Drill does include a log4j-to-slf4j shim, and we did merge an update to
this component <https://github.com/apache/drill/pull/2403> since the
Log4j project bumped its version number when they patched Log4j Core,
but we do not believe that Drill installations without this update are
vulnerable.//It will be shipped with Drill 1.20 nonetheless.
https://www.cve.org/CVERecord?id=CVE-2021-44228
https://www.lunasec.io/docs/blog/log4j-zero-day/
Regards
James Turton
Apache Drill Committer
null
