You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@zookeeper.apache.org by "Christopher Tubbs (Jira)" <ji...@apache.org> on 2022/01/25 12:21:00 UTC
[jira] [Resolved] (ZOOKEEPER-4450) Zookeeper 3.7.0 is using Vulnerable log4j of 1.2.17
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4450?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Christopher Tubbs resolved ZOOKEEPER-4450.
------------------------------------------
Resolution: Duplicate
> Zookeeper 3.7.0 is using Vulnerable log4j of 1.2.17
> ---------------------------------------------------
>
> Key: ZOOKEEPER-4450
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4450
> Project: ZooKeeper
> Issue Type: Bug
> Components: audit
> Affects Versions: 3.7.0, 3.6.2
> Environment: Production
> Reporter: Dilip anand
> Assignee: Mohammad Arshad
> Priority: Major
> Original Estimate: 120h
> Remaining Estimate: 120h
>
> Hello Team,
>
> We are currently using Zookeeper of 3.4.6 and found the below log4j security vulnarbilty.
>
> The sad part is zookeeper is using too old log4j jar file and the fixed version of log4j is 2.16.0.
>
> Can we get the "log4j" fixed version of zookeeper as soon as possible to include it in the production setup?
>
> Nessus scan report::
> ---------------------
> Path : /opt/zookeeper/zookeeper-3.4.10/bin/../lib/log4j-1.2.16.jar Installed version : 1.2.16 Fixed version : 2.16.0
> Path : /opt/zookeeper/zookeeper-3.4.10/contrib/rest/lib/log4j-1.2.15.jar Installed version : 1.2.15 Fixed version : 2.16.0
> Path : /opt/zookeeper/zookeeper-3.4.10/lib/log4j-1.2.16.jar Installed version : 1.2.16 Fixed version : 2.16.0
>
> Regards,
> Anandaa
--
This message was sent by Atlassian Jira
(v8.20.1#820001)