You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@mahout.apache.org by Trevor Grant <tr...@gmail.com> on 2021/12/14 00:26:11 UTC
Log4j, CVE-2021-44228, and Mahout
Many of you have probably become aware of Log4j's vulnerability to
CVE-2021-44228 recently.
Though Mahout is a sleepy project, we are vigilant and want you to know we
are aware of the issue and have been monitoring.
First, let me assure you that since Mahout (like over 90% of log4j users)
is on version 1.x it is not vulnerable to the JDNI remote execution attack
[1]. That said, 1.x was set for EOL in 2015, so it's probably time to
update that. I've made a JIRA ticket (MAHOUT-2140)[2].
The update isn't too complex, but it's also not trivial, and most
importantly it's not critical so you're not endangering anything running
Mahout, and we'll hopefully get it in for the next release in a couple of
months.
Hope this helps everyone feel secure going into their holiday season.
~Trevor
[1] http://slf4j.org/log4shell.html
[2] https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140
Re: Log4j, CVE-2021-44228, and Mahout
Posted by Trevor Grant <tr...@gmail.com>.
@Musselman, I sent invite directly to you.
@Anyone-else-interested, please don't be shy, join us:
Apache Mahout
Tuesday, December 28 · 5:00 – 6:00pm (CST, -0600)
Google Meet joining info
Video call link: https://meet.google.com/ajg-rxbo-jvw
On Thu, Dec 23, 2021 at 12:33 PM Trevor Grant <tr...@gmail.com>
wrote:
> Works for me- if anyone else wants to join and that time doesn't work
> (17:00 -6:00 UTC), speak up.
>
> On Thu, Dec 23, 2021 at 12:22 PM Andrew Musselman <
> andrew.musselman@gmail.com> wrote:
>
>> Works for me; have a good holiday and see you Tuesday. Five p.m. Central
>> maybe?
>>
>> On Tue, Dec 21, 2021 at 12:56 PM Trevor Grant <tr...@gmail.com>
>> wrote:
>>
>> > I don't think we set a time / place to meet tonight-
>> >
>> > I propose punting to next week, I'll probably hack a bit tonight- just
>> send
>> > a proposed time / channel.
>> >
>> > tg
>> >
>> > On Wed, Dec 15, 2021 at 8:52 AM Andrew Musselman <
>> > andrew.musselman@gmail.com>
>> > wrote:
>> >
>> > > Good for me
>> > >
>> > > On Tue, Dec 14, 2021 at 6:13 AM Trevor Grant <
>> trevor.d.grant@gmail.com>
>> > > wrote:
>> > >
>> > > > Love this idea, how about Tuesday evenings, starting the 21st ( a
>> week
>> > > from
>> > > > tonight )
>> > > >
>> > > > On Mon, Dec 13, 2021 at 7:37 PM Andrew Musselman <
>> > > > andrew.musselman@gmail.com>
>> > > > wrote:
>> > > >
>> > > > > Thanks Trevor; may be a good time to revive our online meetings to
>> > talk
>> > > > > through this one..
>> > > > >
>> > > > > I could find time during the holiday break pretty much any day; if
>> > > anyone
>> > > > > else is interested let us know if there's a good time to chat.
>> > > > >
>> > > > > On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant <
>> > trevor.d.grant@gmail.com
>> > > >
>> > > > > wrote:
>> > > > >
>> > > > > > Many of you have probably become aware of Log4j's vulnerability
>> to
>> > > > > > CVE-2021-44228 recently.
>> > > > > >
>> > > > > > Though Mahout is a sleepy project, we are vigilant and want you
>> to
>> > > know
>> > > > > we
>> > > > > > are aware of the issue and have been monitoring.
>> > > > > >
>> > > > > > First, let me assure you that since Mahout (like over 90% of
>> log4j
>> > > > users)
>> > > > > > is on version 1.x it is not vulnerable to the JDNI remote
>> execution
>> > > > > attack
>> > > > > > [1]. That said, 1.x was set for EOL in 2015, so it's probably
>> time
>> > to
>> > > > > > update that. I've made a JIRA ticket (MAHOUT-2140)[2].
>> > > > > >
>> > > > > > The update isn't too complex, but it's also not trivial, and
>> most
>> > > > > > importantly it's not critical so you're not endangering anything
>> > > > running
>> > > > > > Mahout, and we'll hopefully get it in for the next release in a
>> > > couple
>> > > > of
>> > > > > > months.
>> > > > > >
>> > > > > > Hope this helps everyone feel secure going into their holiday
>> > season.
>> > > > > >
>> > > > > > ~Trevor
>> > > > > >
>> > > > > > [1] http://slf4j.org/log4shell.html
>> > > > > > [2]
>> > > https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140
>> > > > > >
>> > > > >
>> > > >
>> > >
>> >
>>
>
Re: Log4j, CVE-2021-44228, and Mahout
Posted by Trevor Grant <tr...@gmail.com>.
@Musselman, I sent invite directly to you.
@Anyone-else-interested, please don't be shy, join us:
Apache Mahout
Tuesday, December 28 · 5:00 – 6:00pm (CST, -0600)
Google Meet joining info
Video call link: https://meet.google.com/ajg-rxbo-jvw
On Thu, Dec 23, 2021 at 12:33 PM Trevor Grant <tr...@gmail.com>
wrote:
> Works for me- if anyone else wants to join and that time doesn't work
> (17:00 -6:00 UTC), speak up.
>
> On Thu, Dec 23, 2021 at 12:22 PM Andrew Musselman <
> andrew.musselman@gmail.com> wrote:
>
>> Works for me; have a good holiday and see you Tuesday. Five p.m. Central
>> maybe?
>>
>> On Tue, Dec 21, 2021 at 12:56 PM Trevor Grant <tr...@gmail.com>
>> wrote:
>>
>> > I don't think we set a time / place to meet tonight-
>> >
>> > I propose punting to next week, I'll probably hack a bit tonight- just
>> send
>> > a proposed time / channel.
>> >
>> > tg
>> >
>> > On Wed, Dec 15, 2021 at 8:52 AM Andrew Musselman <
>> > andrew.musselman@gmail.com>
>> > wrote:
>> >
>> > > Good for me
>> > >
>> > > On Tue, Dec 14, 2021 at 6:13 AM Trevor Grant <
>> trevor.d.grant@gmail.com>
>> > > wrote:
>> > >
>> > > > Love this idea, how about Tuesday evenings, starting the 21st ( a
>> week
>> > > from
>> > > > tonight )
>> > > >
>> > > > On Mon, Dec 13, 2021 at 7:37 PM Andrew Musselman <
>> > > > andrew.musselman@gmail.com>
>> > > > wrote:
>> > > >
>> > > > > Thanks Trevor; may be a good time to revive our online meetings to
>> > talk
>> > > > > through this one..
>> > > > >
>> > > > > I could find time during the holiday break pretty much any day; if
>> > > anyone
>> > > > > else is interested let us know if there's a good time to chat.
>> > > > >
>> > > > > On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant <
>> > trevor.d.grant@gmail.com
>> > > >
>> > > > > wrote:
>> > > > >
>> > > > > > Many of you have probably become aware of Log4j's vulnerability
>> to
>> > > > > > CVE-2021-44228 recently.
>> > > > > >
>> > > > > > Though Mahout is a sleepy project, we are vigilant and want you
>> to
>> > > know
>> > > > > we
>> > > > > > are aware of the issue and have been monitoring.
>> > > > > >
>> > > > > > First, let me assure you that since Mahout (like over 90% of
>> log4j
>> > > > users)
>> > > > > > is on version 1.x it is not vulnerable to the JDNI remote
>> execution
>> > > > > attack
>> > > > > > [1]. That said, 1.x was set for EOL in 2015, so it's probably
>> time
>> > to
>> > > > > > update that. I've made a JIRA ticket (MAHOUT-2140)[2].
>> > > > > >
>> > > > > > The update isn't too complex, but it's also not trivial, and
>> most
>> > > > > > importantly it's not critical so you're not endangering anything
>> > > > running
>> > > > > > Mahout, and we'll hopefully get it in for the next release in a
>> > > couple
>> > > > of
>> > > > > > months.
>> > > > > >
>> > > > > > Hope this helps everyone feel secure going into their holiday
>> > season.
>> > > > > >
>> > > > > > ~Trevor
>> > > > > >
>> > > > > > [1] http://slf4j.org/log4shell.html
>> > > > > > [2]
>> > > https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140
>> > > > > >
>> > > > >
>> > > >
>> > >
>> >
>>
>
Re: Log4j, CVE-2021-44228, and Mahout
Posted by Trevor Grant <tr...@gmail.com>.
Works for me- if anyone else wants to join and that time doesn't work
(17:00 -6:00 UTC), speak up.
On Thu, Dec 23, 2021 at 12:22 PM Andrew Musselman <
andrew.musselman@gmail.com> wrote:
> Works for me; have a good holiday and see you Tuesday. Five p.m. Central
> maybe?
>
> On Tue, Dec 21, 2021 at 12:56 PM Trevor Grant <tr...@gmail.com>
> wrote:
>
> > I don't think we set a time / place to meet tonight-
> >
> > I propose punting to next week, I'll probably hack a bit tonight- just
> send
> > a proposed time / channel.
> >
> > tg
> >
> > On Wed, Dec 15, 2021 at 8:52 AM Andrew Musselman <
> > andrew.musselman@gmail.com>
> > wrote:
> >
> > > Good for me
> > >
> > > On Tue, Dec 14, 2021 at 6:13 AM Trevor Grant <trevor.d.grant@gmail.com
> >
> > > wrote:
> > >
> > > > Love this idea, how about Tuesday evenings, starting the 21st ( a
> week
> > > from
> > > > tonight )
> > > >
> > > > On Mon, Dec 13, 2021 at 7:37 PM Andrew Musselman <
> > > > andrew.musselman@gmail.com>
> > > > wrote:
> > > >
> > > > > Thanks Trevor; may be a good time to revive our online meetings to
> > talk
> > > > > through this one..
> > > > >
> > > > > I could find time during the holiday break pretty much any day; if
> > > anyone
> > > > > else is interested let us know if there's a good time to chat.
> > > > >
> > > > > On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant <
> > trevor.d.grant@gmail.com
> > > >
> > > > > wrote:
> > > > >
> > > > > > Many of you have probably become aware of Log4j's vulnerability
> to
> > > > > > CVE-2021-44228 recently.
> > > > > >
> > > > > > Though Mahout is a sleepy project, we are vigilant and want you
> to
> > > know
> > > > > we
> > > > > > are aware of the issue and have been monitoring.
> > > > > >
> > > > > > First, let me assure you that since Mahout (like over 90% of
> log4j
> > > > users)
> > > > > > is on version 1.x it is not vulnerable to the JDNI remote
> execution
> > > > > attack
> > > > > > [1]. That said, 1.x was set for EOL in 2015, so it's probably
> time
> > to
> > > > > > update that. I've made a JIRA ticket (MAHOUT-2140)[2].
> > > > > >
> > > > > > The update isn't too complex, but it's also not trivial, and most
> > > > > > importantly it's not critical so you're not endangering anything
> > > > running
> > > > > > Mahout, and we'll hopefully get it in for the next release in a
> > > couple
> > > > of
> > > > > > months.
> > > > > >
> > > > > > Hope this helps everyone feel secure going into their holiday
> > season.
> > > > > >
> > > > > > ~Trevor
> > > > > >
> > > > > > [1] http://slf4j.org/log4shell.html
> > > > > > [2]
> > > https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: Log4j, CVE-2021-44228, and Mahout
Posted by Trevor Grant <tr...@gmail.com>.
Works for me- if anyone else wants to join and that time doesn't work
(17:00 -6:00 UTC), speak up.
On Thu, Dec 23, 2021 at 12:22 PM Andrew Musselman <
andrew.musselman@gmail.com> wrote:
> Works for me; have a good holiday and see you Tuesday. Five p.m. Central
> maybe?
>
> On Tue, Dec 21, 2021 at 12:56 PM Trevor Grant <tr...@gmail.com>
> wrote:
>
> > I don't think we set a time / place to meet tonight-
> >
> > I propose punting to next week, I'll probably hack a bit tonight- just
> send
> > a proposed time / channel.
> >
> > tg
> >
> > On Wed, Dec 15, 2021 at 8:52 AM Andrew Musselman <
> > andrew.musselman@gmail.com>
> > wrote:
> >
> > > Good for me
> > >
> > > On Tue, Dec 14, 2021 at 6:13 AM Trevor Grant <trevor.d.grant@gmail.com
> >
> > > wrote:
> > >
> > > > Love this idea, how about Tuesday evenings, starting the 21st ( a
> week
> > > from
> > > > tonight )
> > > >
> > > > On Mon, Dec 13, 2021 at 7:37 PM Andrew Musselman <
> > > > andrew.musselman@gmail.com>
> > > > wrote:
> > > >
> > > > > Thanks Trevor; may be a good time to revive our online meetings to
> > talk
> > > > > through this one..
> > > > >
> > > > > I could find time during the holiday break pretty much any day; if
> > > anyone
> > > > > else is interested let us know if there's a good time to chat.
> > > > >
> > > > > On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant <
> > trevor.d.grant@gmail.com
> > > >
> > > > > wrote:
> > > > >
> > > > > > Many of you have probably become aware of Log4j's vulnerability
> to
> > > > > > CVE-2021-44228 recently.
> > > > > >
> > > > > > Though Mahout is a sleepy project, we are vigilant and want you
> to
> > > know
> > > > > we
> > > > > > are aware of the issue and have been monitoring.
> > > > > >
> > > > > > First, let me assure you that since Mahout (like over 90% of
> log4j
> > > > users)
> > > > > > is on version 1.x it is not vulnerable to the JDNI remote
> execution
> > > > > attack
> > > > > > [1]. That said, 1.x was set for EOL in 2015, so it's probably
> time
> > to
> > > > > > update that. I've made a JIRA ticket (MAHOUT-2140)[2].
> > > > > >
> > > > > > The update isn't too complex, but it's also not trivial, and most
> > > > > > importantly it's not critical so you're not endangering anything
> > > > running
> > > > > > Mahout, and we'll hopefully get it in for the next release in a
> > > couple
> > > > of
> > > > > > months.
> > > > > >
> > > > > > Hope this helps everyone feel secure going into their holiday
> > season.
> > > > > >
> > > > > > ~Trevor
> > > > > >
> > > > > > [1] http://slf4j.org/log4shell.html
> > > > > > [2]
> > > https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: Log4j, CVE-2021-44228, and Mahout
Posted by Andrew Musselman <an...@gmail.com>.
Works for me; have a good holiday and see you Tuesday. Five p.m. Central
maybe?
On Tue, Dec 21, 2021 at 12:56 PM Trevor Grant <tr...@gmail.com>
wrote:
> I don't think we set a time / place to meet tonight-
>
> I propose punting to next week, I'll probably hack a bit tonight- just send
> a proposed time / channel.
>
> tg
>
> On Wed, Dec 15, 2021 at 8:52 AM Andrew Musselman <
> andrew.musselman@gmail.com>
> wrote:
>
> > Good for me
> >
> > On Tue, Dec 14, 2021 at 6:13 AM Trevor Grant <tr...@gmail.com>
> > wrote:
> >
> > > Love this idea, how about Tuesday evenings, starting the 21st ( a week
> > from
> > > tonight )
> > >
> > > On Mon, Dec 13, 2021 at 7:37 PM Andrew Musselman <
> > > andrew.musselman@gmail.com>
> > > wrote:
> > >
> > > > Thanks Trevor; may be a good time to revive our online meetings to
> talk
> > > > through this one..
> > > >
> > > > I could find time during the holiday break pretty much any day; if
> > anyone
> > > > else is interested let us know if there's a good time to chat.
> > > >
> > > > On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant <
> trevor.d.grant@gmail.com
> > >
> > > > wrote:
> > > >
> > > > > Many of you have probably become aware of Log4j's vulnerability to
> > > > > CVE-2021-44228 recently.
> > > > >
> > > > > Though Mahout is a sleepy project, we are vigilant and want you to
> > know
> > > > we
> > > > > are aware of the issue and have been monitoring.
> > > > >
> > > > > First, let me assure you that since Mahout (like over 90% of log4j
> > > users)
> > > > > is on version 1.x it is not vulnerable to the JDNI remote execution
> > > > attack
> > > > > [1]. That said, 1.x was set for EOL in 2015, so it's probably time
> to
> > > > > update that. I've made a JIRA ticket (MAHOUT-2140)[2].
> > > > >
> > > > > The update isn't too complex, but it's also not trivial, and most
> > > > > importantly it's not critical so you're not endangering anything
> > > running
> > > > > Mahout, and we'll hopefully get it in for the next release in a
> > couple
> > > of
> > > > > months.
> > > > >
> > > > > Hope this helps everyone feel secure going into their holiday
> season.
> > > > >
> > > > > ~Trevor
> > > > >
> > > > > [1] http://slf4j.org/log4shell.html
> > > > > [2]
> > https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140
> > > > >
> > > >
> > >
> >
>
Re: Log4j, CVE-2021-44228, and Mahout
Posted by Andrew Musselman <an...@gmail.com>.
Works for me; have a good holiday and see you Tuesday. Five p.m. Central
maybe?
On Tue, Dec 21, 2021 at 12:56 PM Trevor Grant <tr...@gmail.com>
wrote:
> I don't think we set a time / place to meet tonight-
>
> I propose punting to next week, I'll probably hack a bit tonight- just send
> a proposed time / channel.
>
> tg
>
> On Wed, Dec 15, 2021 at 8:52 AM Andrew Musselman <
> andrew.musselman@gmail.com>
> wrote:
>
> > Good for me
> >
> > On Tue, Dec 14, 2021 at 6:13 AM Trevor Grant <tr...@gmail.com>
> > wrote:
> >
> > > Love this idea, how about Tuesday evenings, starting the 21st ( a week
> > from
> > > tonight )
> > >
> > > On Mon, Dec 13, 2021 at 7:37 PM Andrew Musselman <
> > > andrew.musselman@gmail.com>
> > > wrote:
> > >
> > > > Thanks Trevor; may be a good time to revive our online meetings to
> talk
> > > > through this one..
> > > >
> > > > I could find time during the holiday break pretty much any day; if
> > anyone
> > > > else is interested let us know if there's a good time to chat.
> > > >
> > > > On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant <
> trevor.d.grant@gmail.com
> > >
> > > > wrote:
> > > >
> > > > > Many of you have probably become aware of Log4j's vulnerability to
> > > > > CVE-2021-44228 recently.
> > > > >
> > > > > Though Mahout is a sleepy project, we are vigilant and want you to
> > know
> > > > we
> > > > > are aware of the issue and have been monitoring.
> > > > >
> > > > > First, let me assure you that since Mahout (like over 90% of log4j
> > > users)
> > > > > is on version 1.x it is not vulnerable to the JDNI remote execution
> > > > attack
> > > > > [1]. That said, 1.x was set for EOL in 2015, so it's probably time
> to
> > > > > update that. I've made a JIRA ticket (MAHOUT-2140)[2].
> > > > >
> > > > > The update isn't too complex, but it's also not trivial, and most
> > > > > importantly it's not critical so you're not endangering anything
> > > running
> > > > > Mahout, and we'll hopefully get it in for the next release in a
> > couple
> > > of
> > > > > months.
> > > > >
> > > > > Hope this helps everyone feel secure going into their holiday
> season.
> > > > >
> > > > > ~Trevor
> > > > >
> > > > > [1] http://slf4j.org/log4shell.html
> > > > > [2]
> > https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140
> > > > >
> > > >
> > >
> >
>
Re: Log4j, CVE-2021-44228, and Mahout
Posted by Trevor Grant <tr...@gmail.com>.
I don't think we set a time / place to meet tonight-
I propose punting to next week, I'll probably hack a bit tonight- just send
a proposed time / channel.
tg
On Wed, Dec 15, 2021 at 8:52 AM Andrew Musselman <an...@gmail.com>
wrote:
> Good for me
>
> On Tue, Dec 14, 2021 at 6:13 AM Trevor Grant <tr...@gmail.com>
> wrote:
>
> > Love this idea, how about Tuesday evenings, starting the 21st ( a week
> from
> > tonight )
> >
> > On Mon, Dec 13, 2021 at 7:37 PM Andrew Musselman <
> > andrew.musselman@gmail.com>
> > wrote:
> >
> > > Thanks Trevor; may be a good time to revive our online meetings to talk
> > > through this one..
> > >
> > > I could find time during the holiday break pretty much any day; if
> anyone
> > > else is interested let us know if there's a good time to chat.
> > >
> > > On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant <trevor.d.grant@gmail.com
> >
> > > wrote:
> > >
> > > > Many of you have probably become aware of Log4j's vulnerability to
> > > > CVE-2021-44228 recently.
> > > >
> > > > Though Mahout is a sleepy project, we are vigilant and want you to
> know
> > > we
> > > > are aware of the issue and have been monitoring.
> > > >
> > > > First, let me assure you that since Mahout (like over 90% of log4j
> > users)
> > > > is on version 1.x it is not vulnerable to the JDNI remote execution
> > > attack
> > > > [1]. That said, 1.x was set for EOL in 2015, so it's probably time to
> > > > update that. I've made a JIRA ticket (MAHOUT-2140)[2].
> > > >
> > > > The update isn't too complex, but it's also not trivial, and most
> > > > importantly it's not critical so you're not endangering anything
> > running
> > > > Mahout, and we'll hopefully get it in for the next release in a
> couple
> > of
> > > > months.
> > > >
> > > > Hope this helps everyone feel secure going into their holiday season.
> > > >
> > > > ~Trevor
> > > >
> > > > [1] http://slf4j.org/log4shell.html
> > > > [2]
> https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140
> > > >
> > >
> >
>
Re: Log4j, CVE-2021-44228, and Mahout
Posted by Trevor Grant <tr...@gmail.com>.
I don't think we set a time / place to meet tonight-
I propose punting to next week, I'll probably hack a bit tonight- just send
a proposed time / channel.
tg
On Wed, Dec 15, 2021 at 8:52 AM Andrew Musselman <an...@gmail.com>
wrote:
> Good for me
>
> On Tue, Dec 14, 2021 at 6:13 AM Trevor Grant <tr...@gmail.com>
> wrote:
>
> > Love this idea, how about Tuesday evenings, starting the 21st ( a week
> from
> > tonight )
> >
> > On Mon, Dec 13, 2021 at 7:37 PM Andrew Musselman <
> > andrew.musselman@gmail.com>
> > wrote:
> >
> > > Thanks Trevor; may be a good time to revive our online meetings to talk
> > > through this one..
> > >
> > > I could find time during the holiday break pretty much any day; if
> anyone
> > > else is interested let us know if there's a good time to chat.
> > >
> > > On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant <trevor.d.grant@gmail.com
> >
> > > wrote:
> > >
> > > > Many of you have probably become aware of Log4j's vulnerability to
> > > > CVE-2021-44228 recently.
> > > >
> > > > Though Mahout is a sleepy project, we are vigilant and want you to
> know
> > > we
> > > > are aware of the issue and have been monitoring.
> > > >
> > > > First, let me assure you that since Mahout (like over 90% of log4j
> > users)
> > > > is on version 1.x it is not vulnerable to the JDNI remote execution
> > > attack
> > > > [1]. That said, 1.x was set for EOL in 2015, so it's probably time to
> > > > update that. I've made a JIRA ticket (MAHOUT-2140)[2].
> > > >
> > > > The update isn't too complex, but it's also not trivial, and most
> > > > importantly it's not critical so you're not endangering anything
> > running
> > > > Mahout, and we'll hopefully get it in for the next release in a
> couple
> > of
> > > > months.
> > > >
> > > > Hope this helps everyone feel secure going into their holiday season.
> > > >
> > > > ~Trevor
> > > >
> > > > [1] http://slf4j.org/log4shell.html
> > > > [2]
> https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140
> > > >
> > >
> >
>
Re: Log4j, CVE-2021-44228, and Mahout
Posted by Andrew Musselman <an...@gmail.com>.
Good for me
On Tue, Dec 14, 2021 at 6:13 AM Trevor Grant <tr...@gmail.com>
wrote:
> Love this idea, how about Tuesday evenings, starting the 21st ( a week from
> tonight )
>
> On Mon, Dec 13, 2021 at 7:37 PM Andrew Musselman <
> andrew.musselman@gmail.com>
> wrote:
>
> > Thanks Trevor; may be a good time to revive our online meetings to talk
> > through this one..
> >
> > I could find time during the holiday break pretty much any day; if anyone
> > else is interested let us know if there's a good time to chat.
> >
> > On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant <tr...@gmail.com>
> > wrote:
> >
> > > Many of you have probably become aware of Log4j's vulnerability to
> > > CVE-2021-44228 recently.
> > >
> > > Though Mahout is a sleepy project, we are vigilant and want you to know
> > we
> > > are aware of the issue and have been monitoring.
> > >
> > > First, let me assure you that since Mahout (like over 90% of log4j
> users)
> > > is on version 1.x it is not vulnerable to the JDNI remote execution
> > attack
> > > [1]. That said, 1.x was set for EOL in 2015, so it's probably time to
> > > update that. I've made a JIRA ticket (MAHOUT-2140)[2].
> > >
> > > The update isn't too complex, but it's also not trivial, and most
> > > importantly it's not critical so you're not endangering anything
> running
> > > Mahout, and we'll hopefully get it in for the next release in a couple
> of
> > > months.
> > >
> > > Hope this helps everyone feel secure going into their holiday season.
> > >
> > > ~Trevor
> > >
> > > [1] http://slf4j.org/log4shell.html
> > > [2] https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140
> > >
> >
>
Re: Log4j, CVE-2021-44228, and Mahout
Posted by Andrew Musselman <an...@gmail.com>.
Good for me
On Tue, Dec 14, 2021 at 6:13 AM Trevor Grant <tr...@gmail.com>
wrote:
> Love this idea, how about Tuesday evenings, starting the 21st ( a week from
> tonight )
>
> On Mon, Dec 13, 2021 at 7:37 PM Andrew Musselman <
> andrew.musselman@gmail.com>
> wrote:
>
> > Thanks Trevor; may be a good time to revive our online meetings to talk
> > through this one..
> >
> > I could find time during the holiday break pretty much any day; if anyone
> > else is interested let us know if there's a good time to chat.
> >
> > On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant <tr...@gmail.com>
> > wrote:
> >
> > > Many of you have probably become aware of Log4j's vulnerability to
> > > CVE-2021-44228 recently.
> > >
> > > Though Mahout is a sleepy project, we are vigilant and want you to know
> > we
> > > are aware of the issue and have been monitoring.
> > >
> > > First, let me assure you that since Mahout (like over 90% of log4j
> users)
> > > is on version 1.x it is not vulnerable to the JDNI remote execution
> > attack
> > > [1]. That said, 1.x was set for EOL in 2015, so it's probably time to
> > > update that. I've made a JIRA ticket (MAHOUT-2140)[2].
> > >
> > > The update isn't too complex, but it's also not trivial, and most
> > > importantly it's not critical so you're not endangering anything
> running
> > > Mahout, and we'll hopefully get it in for the next release in a couple
> of
> > > months.
> > >
> > > Hope this helps everyone feel secure going into their holiday season.
> > >
> > > ~Trevor
> > >
> > > [1] http://slf4j.org/log4shell.html
> > > [2] https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140
> > >
> >
>
Re: Log4j, CVE-2021-44228, and Mahout
Posted by Trevor Grant <tr...@gmail.com>.
Love this idea, how about Tuesday evenings, starting the 21st ( a week from
tonight )
On Mon, Dec 13, 2021 at 7:37 PM Andrew Musselman <an...@gmail.com>
wrote:
> Thanks Trevor; may be a good time to revive our online meetings to talk
> through this one..
>
> I could find time during the holiday break pretty much any day; if anyone
> else is interested let us know if there's a good time to chat.
>
> On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant <tr...@gmail.com>
> wrote:
>
> > Many of you have probably become aware of Log4j's vulnerability to
> > CVE-2021-44228 recently.
> >
> > Though Mahout is a sleepy project, we are vigilant and want you to know
> we
> > are aware of the issue and have been monitoring.
> >
> > First, let me assure you that since Mahout (like over 90% of log4j users)
> > is on version 1.x it is not vulnerable to the JDNI remote execution
> attack
> > [1]. That said, 1.x was set for EOL in 2015, so it's probably time to
> > update that. I've made a JIRA ticket (MAHOUT-2140)[2].
> >
> > The update isn't too complex, but it's also not trivial, and most
> > importantly it's not critical so you're not endangering anything running
> > Mahout, and we'll hopefully get it in for the next release in a couple of
> > months.
> >
> > Hope this helps everyone feel secure going into their holiday season.
> >
> > ~Trevor
> >
> > [1] http://slf4j.org/log4shell.html
> > [2] https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140
> >
>
Re: Log4j, CVE-2021-44228, and Mahout
Posted by Trevor Grant <tr...@gmail.com>.
Love this idea, how about Tuesday evenings, starting the 21st ( a week from
tonight )
On Mon, Dec 13, 2021 at 7:37 PM Andrew Musselman <an...@gmail.com>
wrote:
> Thanks Trevor; may be a good time to revive our online meetings to talk
> through this one..
>
> I could find time during the holiday break pretty much any day; if anyone
> else is interested let us know if there's a good time to chat.
>
> On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant <tr...@gmail.com>
> wrote:
>
> > Many of you have probably become aware of Log4j's vulnerability to
> > CVE-2021-44228 recently.
> >
> > Though Mahout is a sleepy project, we are vigilant and want you to know
> we
> > are aware of the issue and have been monitoring.
> >
> > First, let me assure you that since Mahout (like over 90% of log4j users)
> > is on version 1.x it is not vulnerable to the JDNI remote execution
> attack
> > [1]. That said, 1.x was set for EOL in 2015, so it's probably time to
> > update that. I've made a JIRA ticket (MAHOUT-2140)[2].
> >
> > The update isn't too complex, but it's also not trivial, and most
> > importantly it's not critical so you're not endangering anything running
> > Mahout, and we'll hopefully get it in for the next release in a couple of
> > months.
> >
> > Hope this helps everyone feel secure going into their holiday season.
> >
> > ~Trevor
> >
> > [1] http://slf4j.org/log4shell.html
> > [2] https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140
> >
>
Re: Log4j, CVE-2021-44228, and Mahout
Posted by Andrew Musselman <an...@gmail.com>.
Thanks Trevor; may be a good time to revive our online meetings to talk
through this one..
I could find time during the holiday break pretty much any day; if anyone
else is interested let us know if there's a good time to chat.
On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant <tr...@gmail.com>
wrote:
> Many of you have probably become aware of Log4j's vulnerability to
> CVE-2021-44228 recently.
>
> Though Mahout is a sleepy project, we are vigilant and want you to know we
> are aware of the issue and have been monitoring.
>
> First, let me assure you that since Mahout (like over 90% of log4j users)
> is on version 1.x it is not vulnerable to the JDNI remote execution attack
> [1]. That said, 1.x was set for EOL in 2015, so it's probably time to
> update that. I've made a JIRA ticket (MAHOUT-2140)[2].
>
> The update isn't too complex, but it's also not trivial, and most
> importantly it's not critical so you're not endangering anything running
> Mahout, and we'll hopefully get it in for the next release in a couple of
> months.
>
> Hope this helps everyone feel secure going into their holiday season.
>
> ~Trevor
>
> [1] http://slf4j.org/log4shell.html
> [2] https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140
>
Re: Log4j, CVE-2021-44228, and Mahout
Posted by Andrew Musselman <an...@gmail.com>.
Thanks Trevor; may be a good time to revive our online meetings to talk
through this one..
I could find time during the holiday break pretty much any day; if anyone
else is interested let us know if there's a good time to chat.
On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant <tr...@gmail.com>
wrote:
> Many of you have probably become aware of Log4j's vulnerability to
> CVE-2021-44228 recently.
>
> Though Mahout is a sleepy project, we are vigilant and want you to know we
> are aware of the issue and have been monitoring.
>
> First, let me assure you that since Mahout (like over 90% of log4j users)
> is on version 1.x it is not vulnerable to the JDNI remote execution attack
> [1]. That said, 1.x was set for EOL in 2015, so it's probably time to
> update that. I've made a JIRA ticket (MAHOUT-2140)[2].
>
> The update isn't too complex, but it's also not trivial, and most
> importantly it's not critical so you're not endangering anything running
> Mahout, and we'll hopefully get it in for the next release in a couple of
> months.
>
> Hope this helps everyone feel secure going into their holiday season.
>
> ~Trevor
>
> [1] http://slf4j.org/log4shell.html
> [2] https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140
>