search

openzipkin / zipkin-dependencies

Spark job that aggregates zipkin spans for use in the UI
Apache License 2.0
176 stars 81 forks source link

Update log4j to version 2.17.2 #203

Closed l00zak closed 10 months ago

l00zak commented 2 years ago

Describe the Bug

Zipkin-dependencies still uses vulnerable log4j library 1.2.17 https://www.cvedetails.com/cve/CVE-2019-17571/ https://www.cvedetails.com/cve/CVE-2021-4104/ https://www.cvedetails.com/cve/CVE-2022-23302/ https://www.cvedetails.com/cve/CVE-2022-23305/

Steps to Reproduce

https://github.com/openzipkin/zipkin-dependencies/search?q=log4j

Expected Behaviour

Update log4j to version 2.17.2

codefromthecrypt commented 10 months ago

latest doesn't use this version