Zookeeper 3.5.6 supports log4j 2.x?

[Daniel Chan <da...@oracle.com>]

Hi,

 

One of the Zookeeper 3.5.6 dependencies is:

log4j > log4j        1.2.17

 

However, Log4j 1.x had reached end of life according to https://logging.apache.org/log4j/1.2/ and also it has a security vulnerability:

CVE-2019-17571 has been identified against Log4j 1. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be exploited. Since Log4j 1 is no longer maintained this issue will not be fixed. Users are urged to upgrade to Log4j 2.

 

Is there any plan to upgrade to log4j 2.x? or will it work if we just replace with log4j 2 jars?                

 

Thanks,

Daniel

 

Re: Zookeeper 3.5.6 supports log4j 2.x?

[Enrico Olivelli <eo...@gmail.com>]

No, sorry.
But  CVE-2019-17571 does not affect neither Zookeeper  client nor Zookeeper
server.
We have an open ticket about this problem.
Probably we will move to slf4j on 3.7.
In case any help or contribution in this direction will be very appreciated


Enrico



Il Sab 1 Feb 2020, 00:58 Daniel Chan <da...@oracle.com> ha scritto:

> Hi,
>
>
>
> One of the Zookeeper 3.5.6 dependencies is:
>
> log4j > log4j        1.2.17
>
>
>
> However, Log4j 1.x had reached end of life according to
> https://logging.apache.org/log4j/1.2/ and also it has a security
> vulnerability:
>
> CVE-2019-17571 has been identified against Log4j 1. Log4j includes a
> SocketServer that accepts serialized log events and deserializes them
> without verifying whether the objects are allowed or not. This can provide
> an attack vector that can be exploited. Since Log4j 1 is no longer
> maintained this issue will not be fixed. Users are urged to upgrade to
> Log4j 2.
>
>
>
> Is there any plan to upgrade to log4j 2.x? or will it work if we just
> replace with log4j 2 jars?
>
>
>
> Thanks,
>
> Daniel
>
>
>