No, sorry. But CVE-2019-17571 does not affect neither Zookeeper client nor Zookeeper server. We have an open ticket about this problem. Probably we will move to slf4j on 3.7. In case any help or contribution in this direction will be very appreciated
Enrico Il Sab 1 Feb 2020, 00:58 Daniel Chan <daniel.cw.c...@oracle.com> ha scritto: > Hi, > > > > One of the Zookeeper 3.5.6 dependencies is: > > log4j > log4j 1.2.17 > > > > However, Log4j 1.x had reached end of life according to > https://logging.apache.org/log4j/1.2/ and also it has a security > vulnerability: > > CVE-2019-17571 has been identified against Log4j 1. Log4j includes a > SocketServer that accepts serialized log events and deserializes them > without verifying whether the objects are allowed or not. This can provide > an attack vector that can be exploited. Since Log4j 1 is no longer > maintained this issue will not be fixed. Users are urged to upgrade to > Log4j 2. > > > > Is there any plan to upgrade to log4j 2.x? or will it work if we just > replace with log4j 2 jars? > > > > Thanks, > > Daniel > > >