[RATIS-1501] Exclude log4j JMSSink, JDBCAppender, and Chainsaw from the generated jar - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Implemented
Affects Version/s: None
Fix Version/s: 2.3.0
Component/s: build
Labels:
None

Description

log4j 1.2.17 has the following vulnerabilities:

CVE-2022-23302: JMSSink
CVE-2022-23305 : JDBCAppender
CVE-2022-23307 : Chainsaw

We should exclude the related classes from the generated jars.

Attachments

Issue Links

relates to

RATIS-1499 Is Apache Ratis 2.2.0 affected by the high-risk vulnerability of the log4j 1.X series?

Resolved

links to

GitHub Pull Request #589

Activity

People

Assignee:: Tsz-wo Sze

Reporter:: Tsz-wo Sze

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 23/Jan/22 04:33

Updated:: 24/Jan/22 09:14

Resolved:: 24/Jan/22 09:14

Time Tracking

Estimated:

Not Specified

Remaining:

0h

Logged:

40m