Hi Devs, Last week, there were many people leaving comments in the issue/PR listed as follows to enquire that if there's a newer Druid patch release such as 0.22.2 that fixes the new vulnerabilities (CVE 45046 <https://nvd.nist.gov/vuln/detail/CVE-2021-45046> and 45105 <https://nvd.nist.gov/vuln/detail/CVE-2021-45105>) which affect log4j 2.15.0 and 2.16.0 https://github.com/apache/druid/issues/12054 https://github.com/apache/druid/pull/12061 https://github.com/apache/druid/pull/12051
So, I bring up this topic here to discuss so that all of us can get a clear message whether we should do a patch release. Following is my personal opinion: >From the description of these two CVE announcements, we can see that, these two problems only affect those log4j pattern layout which involves thread context map (MDC). Since Druid's default pattern layout DOES NOT use such pattern layout, I think it's safe to say that it's not affected by these vulnerabilities. So, for the patch release, we don't need to release another patch release to address these two problems. We can address these two in the upcoming major release 0.23 which is going to release next month if everything goes well as scheduled. Frank
