search

Alluxio / alluxio

Alluxio, data orchestration for analytics and machine learning in the cloud
https://www.alluxio.io
Apache License 2.0
6.8k stars 2.94k forks source link

Zookeeper 3.5.5 contains log4j CVE issue #16727

Open LuQQiu opened 1 year ago

LuQQiu commented 1 year ago

Alluxio Version: When running mvn dependency:tree

1. 
[INFO] +- org.alluxio:alluxio-core-common:jar:2.10.0-SNAPSHOT:compile
[INFO] |  +- org.apache.zookeeper:zookeeper:jar:3.5.5:compile
[INFO] |  |  +- org.slf4j:slf4j-log4j12:jar:1.7.25:compile
[INFO] |  |  \- log4j:log4j:jar:1.2.17:compile
2. 
"org.alluxio:alluxio-minicluster:jar:2.10.0-SNAPSHOT
[INFO] +- org.apache.curator:curator-test:jar:4.2.0:compile
[INFO] |  \- org.apache.zookeeper:zookeeper:jar:3.5.5:compile
[INFO] |     +- org.apache.yetus:audience-annotations:jar:0.5.0:compile
[INFO] |     \- log4j:log4j:jar:1.2.17:compile"

log4j 1.2.17 should be removed Describe the bug When running mvn dependency:tree

To Reproduce Steps to reproduce the behavior (as minimally and precisely as possible)

Expected behavior A clear and concise description of what you expected to happen.

Urgency Describe the impact and urgency of the bug.

Are you planning to fix it Please indicate if you are already working on a PR.

Additional context Add any other context about the problem here.

LuQQiu commented 1 year ago

when excluding log4j, compile throws errors

t alluxio-core-common: Compilation failure: Compilation failure:
[ERROR] /Users/alluxio/alluxioFolder/alluxio/core/common/src/main/java/alluxio/util/LogUtils.java:[21,24] package org.apache.log4j does not exist
[ERROR] /Users/alluxio/alluxioFolder/alluxio/core/common/src/main/java/alluxio/util/LogUtils.java:[24,22] cannot find symbol
[ERROR]   symbol:   class Log4jLoggerAdapter
[ERROR]   location: package org.slf4j.impl
[ERROR] /Users/alluxio/alluxioFolder/alluxio/core/common/src/main/java/alluxio/util/LogUtils.java:[78,47] package org.apache.log4j does not exist
[ERROR] /Users/alluxio/alluxioFolder/alluxio/core/common/src/main/java/alluxio/AlluxioRemoteLogFilter.java:[14,24] package org.apache.log4j does not exist
[ERROR] /Users/alluxio/alluxioFolder/alluxio/core/common/src/main/java/alluxio/AlluxioRemoteLogFilter.java:[15,28] package org.apache.log4j.spi does not exist
[ERROR] /Users/alluxio/alluxioFolder/alluxio/core/common/src/main/java/alluxio/AlluxioRemoteLogFilter.java:[16,28] package org.apache.log4j.spi does not exist
[ERROR] /Users/alluxio/alluxioFolder/alluxio/core/common/src/main/java/alluxio/AlluxioRemoteLogFilter.java:[25,45] cannot find symbol
[ERROR]   symbol: class Filter
[ERROR] /Users/alluxio/alluxioFolder/alluxio/core/common/src/main/java/alluxio/AlluxioRemoteLogFilter.java:[92,21] cannot find symbol
[ERROR]   symbol:   class LoggingEvent
[ERROR]   location: class alluxio.AlluxioRemoteLogFilter
[ERROR] -> [Help 1]

This includes real code changes