It's the same story for the second incarnation, CVE 2021-45046. We're
updating log4j-api and and log4j-to-slf4j to 2.16 but do not believe
that either of these components were vulnerable.
https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/
On 2021/12/13 13:35, luoc wrote:
In short, `log4j-api` and `log4j-to-slf4j` started to exist at 1.20, but it is
already 2.15.
On Dec 13, 2021, at 17:44, James Turton <[email protected]> wrote:
Dear user community
You've probably heard about this severe vulnerability in the ubiquitous Log4j
library which was uncovered at the end of last week. Drill uses the slf4j
library for logging and our assessment is that existing versions of Drill are
not vulnerable because they do not include the affected component (Log4j Core).
Note that this is an informal assessment by developers in the community,
please consult an InfoSec professional if you require a formal assessment.
Drill does include a log4j-to-slf4j shim, and we did merge an update to this
component <https://github.com/apache/drill/pull/2403> since the Log4j project
bumped its version number when they patched Log4j Core, but we do not believe that
Drill installations without this update are vulnerable.//It will be shipped with
Drill 1.20 nonetheless.
https://www.cve.org/CVERecord?id=CVE-2021-44228
https://www.lunasec.io/docs/blog/log4j-zero-day/
Regards
James Turton
Apache Drill Committer
<dzamo.vcf>
null
