[rocketmq-site] branch master updated: Notes(blog) add CVE-2021-44228 notes

[du...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

duhengforever pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/rocketmq-site.git


The following commit(s) were added to refs/heads/master by this push:
     new 74020a9  Notes(blog) add CVE-2021-44228 notes
74020a9 is described below

commit 74020a9b63dd70b0c24fa084fbba241c7e0543b5
Author: duhenglucky <du...@apache.org>
AuthorDate: Thu Dec 16 21:44:11 2021 +0800

    Notes(blog) add CVE-2021-44228 notes
---
 _posts/2021-12-16-CVE-2021-44228.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/_posts/2021-12-16-CVE-2021-44228.md b/_posts/2021-12-16-CVE-2021-44228.md
new file mode 100644
index 0000000..7a03891
--- /dev/null
+++ b/_posts/2021-12-16-CVE-2021-44228.md
@@ -0,0 +1,12 @@
+---
+title: "Notes on Apache Log4j Zero Day (CVE-2021-44228)"
+categories:
+  - RocketMQ
+---
+
+### Apache RocketMQ is not affected by this CVE-2021-44228.
+
+- Apache RocketMQ does not depend on log4j2 actually, although there are imports in the pom file.
+- Apache RocketMQ's broker depends on the logback，and RocketMQ's client depends on log4j2, but its dependency scope is test, and the related dependencies have been deleted in this PR [#3635](https://github.com/apache/rocketmq/issues/3635) .
+- Apache RocketMQ's logappender depends on log4j2, but it is optional, Therefore, the release file does not contain log4j2 related dependencies.
+- Apache RocketMQ still bumped up the log4j2 version in PRs [#3621](https://github.com/apache/rocketmq/issues/3621) [#3623](https://github.com/apache/rocketmq/issues/3623), and developers can cherry-pick related PRs to your private repo to deal with code scanning, and we expect RocketMQ 4.9.3 to be released in the next 1-2 weeks.
\ No newline at end of file