I filed a jira HADOOP-18050 <https://issues.apache.org/jira/browse/HADOOP-18050> and posted a PR to document our stance on the log4jshell vulnerability. Please review.
On Fri, Dec 17, 2021 at 5:59 PM Brahma Reddy Battula <[email protected]> wrote: > > > CVE-2021-44228 states that, it will affect the Apache Log4j2 2.0-beta9 > through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in > configuration, log messages, and parameters do not protect against attacker > controlled LDAP and other JNDI related endpoints *And hadoop uses the > log4j1 (1.2.17) so it will not impact.* > > > > Please go through the following link for affected apache projects. > > https://blogs.apache.org/security/entry/cve-2021-44228 > > On Thu, Dec 16, 2021 at 4:25 PM Rupert Mazzucco <[email protected]> > wrote: > >> The hadoop.apache.org page is curiously silent about this, and there is >> no CVE. Isn't this library used in Hadoop? Pretty sure I saw >> log4j.properties somewhere. Can anybody shed some light on the >> vulnerability of a Hadoop installation? Can it be exploited via RPC? The >> HDFS or YARN web interface? The command line? >> >> Thanks >> Rupert >> >> > > -- > > > > --Brahma Reddy Battula >
