Security: remove use log of log4j v1

apache / druid

Apache Druid: a high performance real-time analytics database.

https://druid.apache.org/

Apache License 2.0

13.47k stars 3.7k forks source link

Security: remove use log of log4j v1 #12425

Closed pjfanning closed 7 months ago

pjfanning commented 2 years ago

Description

log4j v1 is end of life and full of security issues

Can you upgrade log4j v2.17.x or reload4j?

indexing-hadoop/pom.xml
extensions-core/hdfs-storage/pom.xml

Motivation

Please provide the following for the desired feature or change:

A detailed description of the intended use case, if applicable
Rationale for why the desired feature/change would be beneficial

FrankChen021 commented 2 years ago

The log4j v1 used by these two libs is introduced by #11794. And they're used for test profile only. So I think it does not cause any security problems.

I don't know if it's possible to remove it or upgrade it to log4j2. What do you think ? @cryptoe

cryptoe commented 2 years ago

Let's try to bump it to log4j2 and look at the travis runs.

murari-goswami commented 8 months ago

The log4j v1 is in use for below transitive dependency other than the tests. Can we please bump this up to have a fix to get the CVE fix.

+- org.apache.ranger:ranger-plugins-common:jar:2.0.0:compile | +- log4j:log4j:jar:1.2.17:compile

+- org.apache.hive.shims:hive-shims-0.23:jar:3.1.3:runtime - org.apache.hadoop:hadoop-yarn-server-resourcemanager:jar:3.1.0:runtime +- log4j:log4j:jar:1.2.17:runtime