Ignite-log4j is the code that links Ignite to log4j. It does not contain a copy of log4j.
Log4j is version 1.x of log4j, which wasn’t vulnerable. IIRC, log4j 1.x has subsequently been removed from Ignite. > On 20 May 2022, at 15:03, Surinder Mehra <redni...@gmail.com> wrote: > > Hi, as per page below, log4j CVE is already fixed in ignite 2.11.1 > https://blogs.apache.org/ignite/entry/apache-ignite-2-11-1 > <https://blogs.apache.org/ignite/entry/apache-ignite-2-11-1> > > Affected log4j versions were 2.0-2.14. I can see ignite 2.11.1 contains two > log4j jar files below. Can you please confirm these log4j versions are not > affected by CVE anymore ? Or did I miss something? > > ignite-log4j-2.11.1.jar > log4j-1.2.17.jar