You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@zookeeper.apache.org by "Christopher Tubbs (Jira)" <ji...@apache.org> on 2022/01/25 12:21:00 UTC

[jira] [Resolved] (ZOOKEEPER-4450) Zookeeper 3.7.0 is using Vulnerable log4j of 1.2.17

     [ https://issues.apache.org/jira/browse/ZOOKEEPER-4450?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Christopher Tubbs resolved ZOOKEEPER-4450.
------------------------------------------
    Resolution: Duplicate

> Zookeeper 3.7.0 is using Vulnerable log4j of 1.2.17
> ---------------------------------------------------
>
>                 Key: ZOOKEEPER-4450
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4450
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: audit
>    Affects Versions: 3.7.0, 3.6.2
>         Environment: Production
>            Reporter: Dilip anand
>            Assignee: Mohammad Arshad
>            Priority: Major
>   Original Estimate: 120h
>  Remaining Estimate: 120h
>
> Hello Team,
>  
> We are currently using Zookeeper of 3.4.6 and found the below log4j security vulnarbilty. 
>  
> The sad part is zookeeper is using too old log4j jar file and the fixed version of log4j is 2.16.0.
>  
> Can we get the "log4j" fixed version of zookeeper as soon as possible to include it in the production setup? 
>  
> Nessus scan report::
> ---------------------
> Path : /opt/zookeeper/zookeeper-3.4.10/bin/../lib/log4j-1.2.16.jar Installed version : 1.2.16 Fixed version : 2.16.0
> Path : /opt/zookeeper/zookeeper-3.4.10/contrib/rest/lib/log4j-1.2.15.jar Installed version : 1.2.15 Fixed version : 2.16.0
> Path : /opt/zookeeper/zookeeper-3.4.10/lib/log4j-1.2.16.jar Installed version : 1.2.16 Fixed version : 2.16.0
>  
> Regards,
> Anandaa



--
This message was sent by Atlassian Jira
(v8.20.1#820001)