Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Duplicate
-
3.7.0, 3.6.2
-
None
-
None
-
Production
-
Incompatible change
Description
Hello Team,
We are currently using Zookeeper of 3.4.6 and found the below log4j security vulnarbilty.
The sad part is zookeeper is using too old log4j jar file and the fixed version of log4j is 2.16.0.
Can we get the "log4j" fixed version of zookeeper as soon as possible to include it in the production setup?
Nessus scan report::
---------------------
Path : /opt/zookeeper/zookeeper-3.4.10/bin/../lib/log4j-1.2.16.jar Installed version : 1.2.16 Fixed version : 2.16.0
Path : /opt/zookeeper/zookeeper-3.4.10/contrib/rest/lib/log4j-1.2.15.jar Installed version : 1.2.15 Fixed version : 2.16.0
Path : /opt/zookeeper/zookeeper-3.4.10/lib/log4j-1.2.16.jar Installed version : 1.2.16 Fixed version : 2.16.0
Regards,
Anandaa
Attachments
Issue Links
- duplicates
-
ZOOKEEPER-4427 Migrate to Logback
-
- Resolved
-
