Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Should Upgrade Log4j to 2.17.1 in Prometheus Client dependency #14237

Closed
ethqunzhong opened this issue Feb 11, 2022 · 2 comments
Closed

[Security] Should Upgrade Log4j to 2.17.1 in Prometheus Client dependency #14237

ethqunzhong opened this issue Feb 11, 2022 · 2 comments
Labels
type/bug The PR fixed a bug or issue reported a bug

Comments

@ethqunzhong
Copy link
Contributor

Describe the bug
#13552 has fix log4j2 security bug

after build pulsar source code
in generate dir, apache-pulsar-2.10.0-SNAPSHOT/lib
third party dependency lib as follow:
image

check this lib's pom.xml as follow, which log4j2 version is 2.1 low then 2.17.1
image

in public maven repo, io.prometheus.simpleclient_log4j2 latest version is 0.15.0 which depend log4j2 version update to 2.17.1
link to https://mvnrepository.com/artifact/io.prometheus/simpleclient_log4j2/0.15.0

should we upgrade io.prometheus.simpleclient_log4j2 version from 0.5.0 to latest(0.15.0) to avoid log4j2 security holes?
@ethqunzhong ethqunzhong added the type/bug The PR fixed a bug or issue reported a bug label Feb 11, 2022
@shoothzj
Copy link
Member

#13785 is trying to solve this

@ethqunzhong
Copy link
Contributor Author

#13785 is trying to solve this

thx reply.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug The PR fixed a bug or issue reported a bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shoothzj @ethqunzhong