You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@zookeeper.apache.org by "Christopher Tubbs (Jira)" <ji...@apache.org> on 2022/04/01 09:03:00 UTC

[jira] [Commented] (ZOOKEEPER-4509) log4j vulnerability

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17515814#comment-17515814 ] 

Christopher Tubbs commented on ZOOKEEPER-4509:
----------------------------------------------

Which log4j vulnerability? ZooKeeper has never used log4j2, which contained the widely reported (and fixed) log4shell vulnerabilities.

The community has discussed at length the migration path away from log4j1, which does have it's own less severe vulnerabilities than the recent ones affecting log4j2. Please consider checking those discussions in the mailing list archives for details. However, to summarize:

* 3.8.0 was released recently and removed log4j in favor of logback. See the release notes: https://zookeeper.apache.org/releases.html#releasenotes
* For older versions, you can replace the log4j jar in your classpath with reload4j. See https://reload4j.qos.ch/
* Older releases of 3.6 and 3.7 may see a new release that substitutes log4j with reload4j for your convenience (but again, this is something you can already do for your own installations, and you need not wait for the ZooKeeper community to release an update for you to patch your systems)

The mailing list archives can be found at https://lists.apache.org/list.html?dev@zookeeper.apache.org if you wish to see further details.

You can also subscribe and ask questions on the dev or user mailing list, rather than create a JIRA issue. Issues are generally for tracking work, and aren't usually the best way to get questions answered.

> log4j vulnerability
> -------------------
>
>                 Key: ZOOKEEPER-4509
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4509
>             Project: ZooKeeper
>          Issue Type: Bug
>         Environment: All platforms
>            Reporter: Adarsh Shukla
>            Priority: Major
>
> Hi Team,
> We want to understand how to handle the zookeeper log4j vulnerability? is the team planning to release a new version of zookeeper which resolves the log4j vulnerability issue?
>  
> Regards,
> Adarsh



--
This message was sent by Atlassian Jira
(v8.20.1#820001)