That is also there in the doc, the last mention: https://hadoop.apache.org/cve_list.html
Can check the doc, just copying from there: CVE-2021-4104 Log4Shell Vulnerability JMSAppender in Log4j 1.2, used by all versions of Apache Hadoop, is vulnerable to the Log4Shell attack in a similar fashion to CVE-2021-44228. However, the JMSAppender is not the default configuration shipped in Hadoop. When JMSAppender is not enabled, Hadoop is not vulnerable to the attack. To mitigate the risk, you can remove JMSAppender from the log4j-1.2.17.jar artifact yourself following the instructions in this link. -Ayush > On 10-Jan-2022, at 10:59 AM, Deepti Sharma S <[email protected]> > wrote: > > > Hello Ayush, > > Thanks for replying, however the CVE-2021-4104 which is for Log4J 1.x is also > have impact on our application as we are using Hadoop. > > Can you please confirm what is the mitigation for this CVE? > > > Regards, > Deepti Sharma > PMP® & ITIL > > > From: Ayush Saxena <[email protected]> > Sent: Monday, January 10, 2022 3:17 AM > To: Deepti Sharma S <[email protected]> > Cc: [email protected] > Subject: Re: Apache Hadoop Fix for CVE-2021-44228, CVSS 10.0 (Critical) > > It is written on the website: > > https://hadoop.apache.org/ > > Hadoop, as of today depends on log4j 1.x, which is NOT susceptible to the > attack (CVE-2021-44228). > > > > > > On 09-Jan-2022, at 8:19 PM, Deepti Sharma S > <[email protected]> wrote: > > > Hello Team, > > As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0 (Critical), can you > please confirm, when we have Hadoop version release which has this > vulnerability fix and has Log4J version 2.17? > > > > Regards, > Deepti Sharma > PMP® & ITIL > >
