You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@zookeeper.apache.org by "Dilip anand (Jira)" <ji...@apache.org> on 2022/01/25 11:12:00 UTC

[jira] [Created] (ZOOKEEPER-4450) Zookeeper 3.7.0 is using Vulnerable log4j of 1.2.17

Dilip anand created ZOOKEEPER-4450:
--------------------------------------

             Summary: Zookeeper 3.7.0 is using Vulnerable log4j of 1.2.17
                 Key: ZOOKEEPER-4450
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4450
             Project: ZooKeeper
          Issue Type: Bug
          Components: audit
    Affects Versions: 3.6.2, 3.7.0
         Environment: Production
            Reporter: Dilip anand
            Assignee: Mohammad Arshad


Hello Team,

 

We are currently using Zookeeper of 3.4.6 and found the below log4j security vulnarbilty. 

 

The sad part is zookeeper is using too old log4j jar file and the fixed version of log4j is 2.16.0.

 

Can we get the "log4j" fixed version of zookeeper as soon as possible to include it in the production setup? 

 

Nessus scan report::

---------------------

Path : /opt/zookeeper/zookeeper-3.4.10/bin/../lib/log4j-1.2.16.jar Installed version : 1.2.16 Fixed version : 2.16.0

Path : /opt/zookeeper/zookeeper-3.4.10/contrib/rest/lib/log4j-1.2.15.jar Installed version : 1.2.15 Fixed version : 2.16.0

Path : /opt/zookeeper/zookeeper-3.4.10/lib/log4j-1.2.16.jar Installed version : 1.2.16 Fixed version : 2.16.0

 

Regards,

Anandaa



--
This message was sent by Atlassian Jira
(v8.20.1#820001)