Uploaded image for project: 'Apache Hudi'
  1. Apache Hudi
  2. HUDI-3090

Make sure Hudi doesn't use affected log4j2 version

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Blocker
    • Resolution: Unresolved
    • None
    • 0.11.0
    • None

    Description

      It's been recently reported that JNDI features of log4j2 versions >= 2-beta9 <= 2.15 are affected by 0-day vulnerability that might execute arbitrary code iff attacker's string will get logged.

      More details could be found here:

      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

       

      We need to make sure that neither of this versions is present in Hudi's direct/transitive deps.

      Attachments

        1. _spark2_scala211_deps.txt
          691 kB
          Alexey Kudinkin
        2. _spark3_scala212_deps.txt
          686 kB
          Alexey Kudinkin

        Activity

          People

            alexey.kudinkin Alexey Kudinkin
            alexey.kudinkin Alexey Kudinkin
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: