Is Zeppelin affected by the recently discovered log4j vulnerability?
I was not able to find an official announcement. Thanks.
The information contained in this e-mail message is intended only for the
personal and confidential use of the recipient(s) named above.
The pom.xml says log4j is version 1.2.17 which, if I am not mistaken, is
the patched version.
That's what is in github now - it says nothing (to me) about older versions
in use.
On Thu, Dec 16, 2021 at 7:28 AM Pastrana, Rodrigo (RIS-BCT) <
rodrigo.pastr...@lexisnexisrisk.com> wrote:
> Is Zeppeli
Thanks Jack, I see that as well, but the concern is it seems that entry was
added to the top-level pom 7 years ago, and I thought the recent patch was
released in log4-core 2.15 and 2.16
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.16.0
Has Zeppelin avoided CVE-2021-4
1.2.17 is from the old 1.0 branch and not affected by CVE-2021-44228.
Versions 1.* never had the JNDI lookup code.
It is only log4j 2 that is vulnerable. Fixed in 2.15 and an enhanced fix in
2.16.
/Markus
On 16 Dec 2021 at 17:39:44, Jack Park wrote:
> The pom.xml says log4j is version 1.2.17 w
Thanks Markus, that confirms my understanding.
Also, I believe log4j1 is at end-of-life and susceptible to other security
vulnerabilities which is why I’m looking forward to an official statement from
the Zeppelin project.
From: Markus Härnvi
Sent: Thursday, December 16, 2021 12:23 PM
To: users
FYI found a couple of relevant Jiras:
https://issues.apache.org/jira/browse/ZEPPELIN-5613
https://issues.apache.org/jira/browse/ZEPPELIN-3527
https://issues.apache.org/jira/browse/ZEPPELIN-5452
Unfortunately none seem to be active.
From: Pastrana, Rodrigo (RIS-BCT)
Sent: Thursday, December 16, 2
