Federal Agencies are being given CISA directives requiring all agencies to upgrade log4j 1.x applications to versions supporting log4j version 2.16.0 or higher (as of last Friday) or remove the jar files from our machines.
1.x versions of log4j are EOL, are vulnerable to multiple existing CVEs (9.8 Critical severity RCE<https://nvd.nist.gov/vuln/detail/CVE-2019-17571> and 8.1 High severity RCE<https://nvd.nist.gov/vuln/detail/CVE-2021-4104>), and due to increased scrutiny have already had a new CVE reported this week (https://nvd.nist.gov/vuln/detail/CVE-2021-4104<(https:/nvd.nist.gov/vuln/detail/CVE-2021-4104>).
The CISA guidance will continue to grow and improve overtime, and as of Friday 12/17/2021 CISA stated that log4j needs to be upgraded to 2.16.0 or higher.
I'm afraid Apache's statement <https://hadoop.apache.org/news/2021-12-17-log4jshell.html> will not meet the federal requirement. Please consider this an urgent request to release updated versions of Hadoop 2.x / 3.x which support log4j 2.17 or higher. Patches or workarounds would be helpful in the short term.