Apache Security Team
Position available: Security Response Program Manager
We are looking for a part-time Program Manager to work in the Apache Software Foundation security response team. The main focus will be on the handling and organisation of the incoming security reports across our 300+ open source projects.[Read More]
Posted at 09:03AM May 05, 2022
by mjc in General |
|
Apache projects affected by log4j CVE-2021-44228
This entry is where we will collect links to statements provided by ASF projects on if they are affected by CVE-2021-44228, the security issue in Log4j2.
| Project | Status |
|---|---|
| Apache Ant | Not Affected, a deprecated module uses log4j 1.x |
| Apache Archiva | Affected, release 2.2.6 will address this |
| Apache AsterixDB | Affected, fixed in 0.9.7.1 |
| Apache Calcite Avatica | Affected, update to 1.20.0 |
| Apache Camel | Not affected |
| Apache CloudStack | Not Affected |
| Apache Druid | Affected, update to 0.22.1 |
| Apache EventMesh | Affected |
| Apache Flink | Affected, fixed in 1.14.2, 1.13.5, 1.12,7, 1.11.6 |
| Apache Fortress | Affected, update to 2.0.7 |
| Apache Geode | Affected, update to 1.12.6, 1.13.5, 1.14.1 |
| Apache Guacamole | Not Affected |
| Apache Hadoop | Not affected, uses log4j 1.x |
| Apache Hive | Affected |
| Apache HTTP Server (httpd) | Not affected |
| Apache Iceberg | Not Affected |
| Apache James | Affected, update to 3.6.1 |
| Apache Jena | Affected, update to 4.3.1 |
| Apache JMeter | Affected, update to 5.4.2 |
| Apache JSPWiki | Affected, update to 2.11.1 |
| Apache Kafka | Not Affected |
| Apache Log4J 1.2 | Not Affected, see CVE-2021-4104. Note Log4j 1.x is EOL since 2015. |
| Apache Log4J 2.x | Affected, update to 2.16.0 |
| Apache Log4Net | Not affected |
| Apache Lucene | Affected, update to 8.11.1 |
| Apache Maven | Not affected, Maven 3.1+ uses lsf4j simple-logger |
| Apache OFBiz | Affected, update to 18.12.03 |
| Apache Ozone | Affected, update to 1.2.1 |
| Apache POI | Not affected, only uses log4j-api |
| Apache SkyWalking | Affected, update to 8.9.1 |
| Apache Sling | Not affected |
| Apache Solr | Affected, update to 8.11.1 |
| Apache Spark | Not affected, uses log4j 1.x |
| Apache Subversion | Not affected |
| Apache Struts | Affected |
| Apache Tika | Affected (1.x is not affected as uses log4j 1.x) |
| Apache Tomcat | Not Affected |
| Apache TrafficControl | Not affected, used log4j 1.x |
| Apache Uima | Not affected |
| Apache XMLBeans | Not affected, only uses log4j-api |
| Apache ZooKeeper | Not affected, uses log4j 1.x |
Posted at 01:16PM Dec 14, 2021
by mjc in General |
|