Description
I created a packaging job on Jenkins for the 3.0.1 release and verified its artifacts.
https://ci.bigtop.apache.org/view/Releases/job/Bigtop-3.0.1/
Then I found that YCSB still has the old version of log4j2.
$ for i in $(find output -name '*.rpm'); do rpm -qlp $i; done | grep jar$ | grep log4j-core /usr/lib/elasticsearch/lib/log4j-core-2.17.1.jar /usr/lib/flink/lib/log4j-core-2.17.1.jar /usr/lib/hive/lib/log4j-core-2.17.1.jar /usr/lib/logstash/logstash-core/lib/org/apache/logging/log4j/log4j-core/2.17.1/log4j-core-2.17.1.jar /usr/lib/oozie/embedded-oozie-server/webapp/WEB-INF/lib/log4j-core-2.17.1.jar /usr/lib/oozie/lib/log4j-core-2.17.1.jar /usr/lib/oozie/lib/log4j-core-2.17.1.jar /usr/lib/solr/contrib/prometheus-exporter/lib/log4j-core-2.17.1.jar /usr/lib/solr/server/lib/ext/log4j-core-2.17.1.jar /usr/lib/ycsb/elasticsearch5-binding/lib/log4j-core-2.17.1.jar /usr/lib/ycsb/geode-binding/lib/log4j-core-2.7.jar /usr/lib/ycsb/ignite-binding/lib/log4j-core-2.17.1.jar /usr/lib/ycsb/tablestore-binding/lib/log4j-core-2.0.2.jar /usr/lib/ycsb/voltdb-binding/lib/log4j-core-2.17.1.jar
They comes from Geode 1.2.0 and TableStore SDK 4.8.0 as transitive dependencies.
https://mvnrepository.com/artifact/org.apache.geode/geode-core/1.2.0
https://mvnrepository.com/artifact/com.aliyun.openservices/tablestore/4.8.0
Attachments
Issue Links
- relates to
-
BIGTOP-3613 Review log4j configurations for CVE-2021-44228
-
- Resolved
-
- links to
