Thanks Markus, that confirms my understanding. Also, I believe log4j1 is at end-of-life and susceptible to other security vulnerabilities which is why I’m looking forward to an official statement from the Zeppelin project.
From: Markus Härnvi <mar...@harnvi.net> Sent: Thursday, December 16, 2021 12:23 PM To: users@zeppelin.apache.org Cc: dev <d...@zeppelin.apache.org> Subject: Re: Log4J Vulnerability *** External email: use caution *** 1.2.17 is from the old 1.0 branch and not affected by CVE-2021-44228. Versions 1.* never had the JNDI lookup code. It is only log4j 2 that is vulnerable. Fixed in 2.15 and an enhanced fix in 2.16. /Markus On 16 Dec 2021 at 17:39:44, Jack Park <jackp...@topicquests.org<mailto:jackp...@topicquests.org>> wrote: The pom.xml says log4j is version 1.2.17 which, if I am not mistaken, is the patched version. That's what is in github now - it says nothing (to me) about older versions in use. On Thu, Dec 16, 2021 at 7:28 AM Pastrana, Rodrigo (RIS-BCT) <rodrigo.pastr...@lexisnexisrisk.com<mailto:rodrigo.pastr...@lexisnexisrisk.com>> wrote: Is Zeppelin affected by the recently discovered log4j vulnerability? I was not able to find an official announcement. Thanks. ________________________________ The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. This message may be an attorney-client communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. ________________________________ The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. This message may be an attorney-client communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message.