CVE-2021-44228 states that, it will affect the Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints *And hadoop uses the log4j1 (1.2.17) so it will not impact.*
Please go through the following link for affected apache projects. https://blogs.apache.org/security/entry/cve-2021-44228 On Thu, Dec 16, 2021 at 4:25 PM Rupert Mazzucco <[email protected]> wrote: > The hadoop.apache.org page is curiously silent about this, and there is > no CVE. Isn't this library used in Hadoop? Pretty sure I saw > log4j.properties somewhere. Can anybody shed some light on the > vulnerability of a Hadoop installation? Can it be exploited via RPC? The > HDFS or YARN web interface? The command line? > > Thanks > Rupert > > -- --Brahma Reddy Battula
