I just finished reading through the latest Jira comments and links. Has there been any consensus reached thus far on whether or not ZK is planning an upgrade to Log4j 2.16.0 (or at least providing it as an option behind slf4j)?
I understand the arguments for/against Log4j 1.x and won't repeat them all here. I'm asking because I know some more cautious organizations are still taking action to attempt to mitigate existing ZK installations regardless. Has anyone made an attempt to see how much effort would be involved in the upgrade? Would you all be open to a pull request? Thanks for all of your hard work on ZK! ~Brent On Mon, Dec 13, 2021 at 8:36 AM Patrick Hunt <ph...@apache.org> wrote: > This issue is being tracked on ZOOKEEPER-4423. > > ZK 3.4 does not use log4j 2.x - all versions of zk currently use log4j 1.x. > > Regards, > > Patrick > > > On Mon, Dec 13, 2021 at 4:02 AM Prasanna kumar < > prasannakumarram...@gmail.com> wrote: > > > Could anyone confirm the same on 3.4 versions? > > > > On Sun, Dec 12, 2021 at 9:58 AM tison <wander4...@gmail.com> wrote: > > > > > Hi Anchal, > > > > > > I don't speak on behalf of the PMC but it seems ZK just uses log4j 1.x, > > not > > > the affected version. > > > > > > Best, > > > tison. > > > > > > > > > Anchal Sharma2 <anchs...@in.ibm.com> 于2021年12月12日周日 12:19写道: > > > > > > > Hi All, > > > > > > > > Any one knows impact of Log4J security vulnerability CVE-2021-44228 > on > > > > zookeeper (version 3.5.8) and mitigation ?I couldn't find any news on > > > > zookeeper website . > > > > > > > > Thanks > > > > Anchal Sharma > > > > > > > > > > > > > >
