Closed pjfanning closed 7 months ago
The log4j v1 used by these two libs is introduced by #11794. And they're used for test profile only. So I think it does not cause any security problems.
I don't know if it's possible to remove it or upgrade it to log4j2. What do you think ? @cryptoe
Let's try to bump it to log4j2 and look at the travis runs.
The log4j v1 is in use for below transitive dependency other than the tests. Can we please bump this up to have a fix to get the CVE fix.
+- org.apache.ranger:ranger-plugins-common:jar:2.0.0:compile | +- log4j:log4j:jar:1.2.17:compile
+- org.apache.hive.shims:hive-shims-0.23:jar:3.1.3:runtime - org.apache.hadoop:hadoop-yarn-server-resourcemanager:jar:3.1.0:runtime +- log4j:log4j:jar:1.2.17:runtime
Description
log4j v1 is end of life and full of security issues
Can you upgrade log4j v2.17.x or reload4j?
Motivation
Please provide the following for the desired feature or change: