You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@drill.apache.org by James Turton <dz...@apache.org> on 2021/12/13 09:44:02 UTC
Log4j RCE vulnerability CVE-2021-44228
Dear user community
You've probably heard about this severe vulnerability in the ubiquitous
Log4j library which was uncovered at the end of last week. Drill uses
the slf4j library for logging and our assessment is that existing
versions of Drill are not vulnerable because they do not include the
affected component (Log4j Core). Note that this is an informal
assessment by developers in the community, please consult an InfoSec
professional if you require a formal assessment.
Drill does include a log4j-to-slf4j shim, and we did merge an update to
this component <https://github.com/apache/drill/pull/2403> since the
Log4j project bumped its version number when they patched Log4j Core,
but we do not believe that Drill installations without this update are
vulnerable.//It will be shipped with Drill 1.20 nonetheless.
https://www.cve.org/CVERecord?id=CVE-2021-44228
https://www.lunasec.io/docs/blog/log4j-zero-day/
Regards
James Turton
Apache Drill Committer
Re: Log4j RCE vulnerability CVE-2021-44228
Posted by James Turton <dz...@apache.org>.
It's the same story for the second incarnation, CVE 2021-45046. We're
updating log4j-api and and log4j-to-slf4j to 2.16 but do not believe
that either of these components were vulnerable.
https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/
On 2021/12/13 13:35, luoc wrote:
> In short, `log4j-api` and `log4j-to-slf4j` started to exist at 1.20, but it is already 2.15.
>
>> On Dec 13, 2021, at 17:44, James Turton <dz...@apache.org> wrote:
>>
>> Dear user community
>>
>> You've probably heard about this severe vulnerability in the ubiquitous Log4j library which was uncovered at the end of last week. Drill uses the slf4j library for logging and our assessment is that existing versions of Drill are not vulnerable because they do not include the affected component (Log4j Core). Note that this is an informal assessment by developers in the community, please consult an InfoSec professional if you require a formal assessment.
>>
>> Drill does include a log4j-to-slf4j shim, and we did merge an update to this component <https://github.com/apache/drill/pull/2403> since the Log4j project bumped its version number when they patched Log4j Core, but we do not believe that Drill installations without this update are vulnerable.//It will be shipped with Drill 1.20 nonetheless.
>>
>> https://www.cve.org/CVERecord?id=CVE-2021-44228
>> https://www.lunasec.io/docs/blog/log4j-zero-day/
>>
>> Regards
>>
>> James Turton
>> Apache Drill Committer
>> <dzamo.vcf>
Re: Log4j RCE vulnerability CVE-2021-44228
Posted by luoc <lu...@apache.org>.
In short, `log4j-api` and `log4j-to-slf4j` started to exist at 1.20, but it is already 2.15.
> On Dec 13, 2021, at 17:44, James Turton <dz...@apache.org> wrote:
>
> Dear user community
>
> You've probably heard about this severe vulnerability in the ubiquitous Log4j library which was uncovered at the end of last week. Drill uses the slf4j library for logging and our assessment is that existing versions of Drill are not vulnerable because they do not include the affected component (Log4j Core). Note that this is an informal assessment by developers in the community, please consult an InfoSec professional if you require a formal assessment.
>
> Drill does include a log4j-to-slf4j shim, and we did merge an update to this component <https://github.com/apache/drill/pull/2403> since the Log4j project bumped its version number when they patched Log4j Core, but we do not believe that Drill installations without this update are vulnerable.//It will be shipped with Drill 1.20 nonetheless.
>
> https://www.cve.org/CVERecord?id=CVE-2021-44228
> https://www.lunasec.io/docs/blog/log4j-zero-day/
>
> Regards
>
> James Turton
> Apache Drill Committer
> <dzamo.vcf>