You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@avro.apache.org by "Ryan Skraba (Jira)" <ji...@apache.org> on 2022/01/13 17:55:00 UTC

[jira] [Comment Edited] (AVRO-3304) avro-tools Update log4j dependency for critical vulnerability

    [ https://issues.apache.org/jira/browse/AVRO-3304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17475560#comment-17475560 ] 

Ryan Skraba edited comment on AVRO-3304 at 1/13/22, 5:54 PM:
-------------------------------------------------------------

Hello!  If you are referring to the recent Log4shell/Log4jam RCE exploits, I don't think avro-tools is vulnerable and this might be a false positive.  The (admittedly {_}ancient{_}) version of log4j that is bundled with avro-tools is not affected by these CVEs.

That being said, we really should move forward to a modern version of log4j -– I'm OK with sl4j-simple, especially if we can avoid any changes to the [pattern|#L22].]-  As an alternative, there's also log4j-slf4j-impl which should be a drop-in replacement.

I've already changed my mind about this – I suspect that if anyone really cares about the logging pattern, they can (and probably should) repackage the uber-jar with the own log4j.properties and artifacts they want.


was (Author: ryanskraba):
Hello!  If you are referring to the recent Log4shell/Log4jam RCE exploits, I don't think avro-tools is vulnerable and this might be a false positive.  The (admittedly {_}ancient{_}) version of log4j that is bundled with avro-tools is not affected by these CVEs.

That being said, we really should move forward to a modern version of log4j – I'm OK with sl4j-simple, especially if we can avoid any changes to the [pattern|[https://github.com/apache/avro/blob/70260919426f89825ca148f5ee815f3b2cf4764d/lang/java/tools/src/main/resources/log4j.properties#L22].]  As an alternative, there's also log4j-slf4j-impl which should be a drop-in replacement.

> avro-tools Update log4j dependency for critical vulnerability
> -------------------------------------------------------------
>
>                 Key: AVRO-3304
>                 URL: https://issues.apache.org/jira/browse/AVRO-3304
>             Project: Apache Avro
>          Issue Type: Task
>          Components: tools
>    Affects Versions: 1.11.0
>            Reporter: Daniel Nash
>            Priority: Major
>
> Our company security is having a fit because Nessus scans are triggering on the bundled log4j in the avro-tools.jar.  Please update the log4j dependencies to the latest versions to remove the critical vulnerability present in the currently bundled log4j.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)