1.2.17 is from the old 1.0 branch and not affected by CVE-2021-44228. Versions 1.* never had the JNDI lookup code.
It is only log4j 2 that is vulnerable. Fixed in 2.15 and an enhanced fix in 2.16. /Markus On 16 Dec 2021 at 17:39:44, Jack Park <jackp...@topicquests.org> wrote: > The pom.xml says log4j is version 1.2.17 which, if I am not mistaken, is > the patched version. > That's what is in github now - it says nothing (to me) about older > versions in use. > > > On Thu, Dec 16, 2021 at 7:28 AM Pastrana, Rodrigo (RIS-BCT) < > rodrigo.pastr...@lexisnexisrisk.com> wrote: > >> Is Zeppelin affected by the recently discovered log4j vulnerability? >> >> >> >> I was not able to find an official announcement. Thanks. >> >> ------------------------------ >> The information contained in this e-mail message is intended only for the >> personal and confidential use of the recipient(s) named above. This message >> may be an attorney-client communication and/or work product and as such is >> privileged and confidential. If the reader of this message is not the >> intended recipient or an agent responsible for delivering it to the >> intended recipient, you are hereby notified that you have received this >> document in error and that any review, dissemination, distribution, or >> copying of this message is strictly prohibited. If you have received this >> communication in error, please notify us immediately by e-mail, and delete >> the original message. >> >
