You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@carbondata.apache.org by Liang Chen <ch...@apache.org> on 2022/01/09 08:57:48 UTC

Re: [DISCUSSION] Log4j2 Vulnerability (CVE-2021-44228, CVE-2021-45046,CVE-2021-45105) Analysis

Thanks, Indhumathi.
These analysis info would be very helpful for us.

Regards
Liang

On 2021/12/30 12:31:12 Indhumathi M wrote:
> Hello all, this discussion is related to a Log4j2 vulnerability.
> 
> As you may be aware, there has been a critical vulnerability in Log4j2, the
> Java Logging Library,
> 
> that could result in Remote Code Execution (RCE) if an affected version of
> log4j (2.0 <= log4j <= 2.15.0)
> 
> logs an attacker-controlled string value without proper validation. Please
> see more details on CVE-2021-44228
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>.
> 
> We currently believe that the Apache CarbonData platform is not impacted.
> Apache CarbonData does not
> 
> directly use a version of log4j known to be affected by the vulnerability.
> We have reviewed the code and
> 
> run the vulnerability tool, as per the tool report, these three
> vulnerabilities (CVE-2021-44228,
> 
> CVE-2021-45046,CVE-2021-45105) are not identified.
> 
> 
> Regards,
> 
> Indhumathi M
>