Thanks Jack, I see that as well, but the concern is it seems that entry was added to the top-level pom 7 years ago, and I thought the recent patch was released in log4-core 2.15 and 2.16 https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.16.0
Has Zeppelin avoided CVE-2021-44228 by virtue of targeting the older End of life log4j1? If so, is there a plan to patch? Otherwise, is there an official announcement? From: Jack Park <jackp...@topicquests.org> Sent: Thursday, December 16, 2021 11:40 AM To: users@zeppelin.apache.org Cc: dev <d...@zeppelin.apache.org> Subject: Re: Log4J Vulnerability *** External email: use caution *** The pom.xml says log4j is version 1.2.17 which, if I am not mistaken, is the patched version. That's what is in github now - it says nothing (to me) about older versions in use. On Thu, Dec 16, 2021 at 7:28 AM Pastrana, Rodrigo (RIS-BCT) <rodrigo.pastr...@lexisnexisrisk.com<mailto:rodrigo.pastr...@lexisnexisrisk.com>> wrote: Is Zeppelin affected by the recently discovered log4j vulnerability? I was not able to find an official announcement. Thanks. ________________________________ The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. This message may be an attorney-client communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. ________________________________ The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. This message may be an attorney-client communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message.
