You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@hadoop.apache.org by Deepti Sharma S <de...@ericsson.com.INVALID> on 2022/01/09 14:48:50 UTC
Apache Hadoop Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Hello Team,
As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0 (Critical), can you please confirm, when we have Hadoop version release which has this vulnerability fix and has Log4J version 2.17?
Regards,
Deepti Sharma
PMP(r) & ITIL
Re: Apache Hadoop Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Ayush Saxena <ay...@gmail.com>.
That is also there in the doc, the last mention:
https://hadoop.apache.org/cve_list.html
Can check the doc, just copying from there:
CVE-2021-4104 Log4Shell Vulnerability
JMSAppender in Log4j 1.2, used by all versions of Apache Hadoop, is vulnerable to the Log4Shell attack in a similar fashion to CVE-2021-44228. However, the JMSAppender is not the default configuration shipped in Hadoop. When JMSAppender is not enabled, Hadoop is not vulnerable to the attack.
To mitigate the risk, you can remove JMSAppender from the log4j-1.2.17.jar artifact yourself following the instructions in this link.
-Ayush
> On 10-Jan-2022, at 10:59 AM, Deepti Sharma S <de...@ericsson.com> wrote:
>
>
> Hello Ayush,
>
> Thanks for replying, however the CVE-2021-4104 which is for Log4J 1.x is also have impact on our application as we are using Hadoop.
>
> Can you please confirm what is the mitigation for this CVE?
>
>
> Regards,
> Deepti Sharma
> PMP® & ITIL
>
>
> From: Ayush Saxena <ay...@gmail.com>
> Sent: Monday, January 10, 2022 3:17 AM
> To: Deepti Sharma S <de...@ericsson.com.invalid>
> Cc: user@hadoop.apache.org
> Subject: Re: Apache Hadoop Fix for CVE-2021-44228, CVSS 10.0 (Critical)
>
> It is written on the website:
>
> https://hadoop.apache.org/
>
> Hadoop, as of today depends on log4j 1.x, which is NOT susceptible to the attack (CVE-2021-44228).
>
>
>
>
>
> On 09-Jan-2022, at 8:19 PM, Deepti Sharma S <de...@ericsson.com.invalid> wrote:
>
>
> Hello Team,
>
> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0 (Critical), can you please confirm, when we have Hadoop version release which has this vulnerability fix and has Log4J version 2.17?
>
>
>
> Regards,
> Deepti Sharma
> PMP® & ITIL
>
>
RE: Apache Hadoop Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Deepti Sharma S <de...@ericsson.com.INVALID>.
Hello Ayush,
Thanks for replying, however the CVE-2021-4104 which is for Log4J 1.x is also have impact on our application as we are using Hadoop.
Can you please confirm what is the mitigation for this CVE?
Regards,
Deepti Sharma
PMP® & ITIL
From: Ayush Saxena <ay...@gmail.com>
Sent: Monday, January 10, 2022 3:17 AM
To: Deepti Sharma S <de...@ericsson.com.invalid>
Cc: user@hadoop.apache.org
Subject: Re: Apache Hadoop Fix for CVE-2021-44228, CVSS 10.0 (Critical)
It is written on the website:
https://hadoop.apache.org/
Hadoop, as of today depends on log4j 1.x, which is NOT susceptible to the attack (CVE-2021-44228).
On 09-Jan-2022, at 8:19 PM, Deepti Sharma S <de...@ericsson.com.invalid>> wrote:
Hello Team,
As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0 (Critical), can you please confirm, when we have Hadoop version release which has this vulnerability fix and has Log4J version 2.17?
Regards,
Deepti Sharma
PMP® & ITIL
Re: Apache Hadoop Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Ayush Saxena <ay...@gmail.com>.
It is written on the website:
https://hadoop.apache.org/
Hadoop, as of today depends on log4j 1.x, which is NOT susceptible to the attack (CVE-2021-44228).
>
> On 09-Jan-2022, at 8:19 PM, Deepti Sharma S <de...@ericsson.com.invalid> wrote:
>
>
> Hello Team,
>
> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0 (Critical), can you please confirm, when we have Hadoop version release which has this vulnerability fix and has Log4J version 2.17?
>
>
>
> Regards,
> Deepti Sharma
> PMP® & ITIL
>
>