You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@carbondata.apache.org by Liang Chen <ch...@apache.org> on 2022/01/09 08:57:48 UTC
Re: [DISCUSSION] Log4j2 Vulnerability (CVE-2021-44228, CVE-2021-45046,CVE-2021-45105) Analysis
Thanks, Indhumathi.
These analysis info would be very helpful for us.
Regards
Liang
On 2021/12/30 12:31:12 Indhumathi M wrote:
> Hello all, this discussion is related to a Log4j2 vulnerability.
>
> As you may be aware, there has been a critical vulnerability in Log4j2, the
> Java Logging Library,
>
> that could result in Remote Code Execution (RCE) if an affected version of
> log4j (2.0 <= log4j <= 2.15.0)
>
> logs an attacker-controlled string value without proper validation. Please
> see more details on CVE-2021-44228
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>.
>
> We currently believe that the Apache CarbonData platform is not impacted.
> Apache CarbonData does not
>
> directly use a version of log4j known to be affected by the vulnerability.
> We have reviewed the code and
>
> run the vulnerability tool, as per the tool report, these three
> vulnerabilities (CVE-2021-44228,
>
> CVE-2021-45046,CVE-2021-45105) are not identified.
>
>
> Regards,
>
> Indhumathi M
>