Apache projects affected by log4j CVE-2021-44228

This entry is where we will collect links to statements provided by ASF projects on if they are affected by CVE-2021-44228, the security issue in Log4j2.

Project	Status
Apache Ant	Not Affected, a deprecated module uses log4j 1.x
Apache Archiva	Affected, release 2.2.6 will address this
Apache AsterixDB	Affected, fixed in 0.9.7.1
Apache Calcite Avatica	Affected, update to 1.20.0
Apache Camel	Not affected
Apache CloudStack	Not Affected
Apache Druid	Affected, update to 0.22.1
Apache EventMesh	Affected
Apache Flink	Affected, fixed in 1.14.2, 1.13.5, 1.12,7, 1.11.6
Apache Fortress	Affected, update to 2.0.7
Apache Geode	Affected, update to 1.12.6, 1.13.5, 1.14.1
Apache Guacamole	Not Affected
Apache Hadoop	Not affected, uses log4j 1.x
Apache Hive	Affected
Apache HTTP Server (httpd)	Not affected
Apache Iceberg	Not Affected
Apache James	Affected, update to 3.6.1
Apache Jena	Affected, update to 4.3.1
Apache JMeter	Affected, update to 5.4.2
Apache JSPWiki	Affected, update to 2.11.1
Apache Kafka	Not Affected
Apache Log4J 1.2	Not Affected, see CVE-2021-4104. Note Log4j 1.x is EOL since 2015.
Apache Log4J 2.x	Affected, update to 2.16.0
Apache Log4Net	Not affected
Apache Lucene	Affected, update to 8.11.1
Apache Maven	Not affected, Maven 3.1+ uses lsf4j simple-logger
Apache OFBiz	Affected, update to 18.12.03
Apache Ozone	Affected, update to 1.2.1
Apache POI	Not affected, only uses log4j-api
Apache SkyWalking	Affected, update to 8.9.1
Apache Sling	Not affected
Apache Solr	Affected, update to 8.11.1
Apache Spark	Not affected, uses log4j 1.x
Apache Subversion	Not affected
Apache Struts	Affected
Apache Tika	Affected (1.x is not affected as uses log4j 1.x)
Apache Tomcat	Not Affected
Apache TrafficControl	Not affected, used log4j 1.x
Apache Uima	Not affected
Apache XMLBeans	Not affected, only uses log4j-api
Apache ZooKeeper	Not affected, uses log4j 1.x

Posted at 01:16PM Dec 14, 2021 by mjc in General  |   |