Thanks for confirming. Just one thing. I just downloaded ignite 2.11.1 and 2.12.x and I can still see log4j.1.2.17 in it.
Is it removed in 2.13 onwards? On Fri, 20 May 2022, 20:27 Stephen Darlington, < stephen.darling...@gridgain.com> wrote: > Ignite-log4j is the code that links Ignite to log4j. It does not contain a > copy of log4j. > > Log4j is version 1.x of log4j, which wasn’t vulnerable. IIRC, log4j 1.x > has subsequently been removed from Ignite. > > On 20 May 2022, at 15:03, Surinder Mehra <redni...@gmail.com> wrote: > > Hi, as per page below, log4j CVE is already fixed in ignite 2.11.1 > https://blogs.apache.org/ignite/entry/apache-ignite-2-11-1 > > Affected log4j versions were 2.0-2.14. I can see ignite 2.11.1 contains > two log4j jar files below. Can you please confirm these log4j versions are > not affected by CVE anymore ? Or did I miss something? > > ignite-log4j-2.11.1.jar > log4j-1.2.17.jar > > >
