h2o-3
h2o-3 copied to clipboard
updated log4j library to reload4j in order to address vulnerabilities
updated log4j library to reload4j in order to address CVE-2022-23305 CVE-2022-23302 CVE-2021-4104 CVE-2019-17571
Thank you for the suggestion @occhioni-esteco
FIY: we currently do not use log4j 1.x in any of out standalone builds, we only use it for Hadoop builds and SW builds - both Hadoop and Spark come with log4j
Even if we switched to the suggested library it won't affect security of the application since Hadoop/Spark will have original log4j on classpath
Thanks @michalkurka for looking into this.
You're right, probably the fix will not affect the standalone builds. The purpose of the fix is mainly focused to fix the transitive dependency of log4j 1.x for that codebases using h2o-core as an external dependency. Right now h2o-core depends on h2o-logging-impl-classic which depends on log4j 1.2.17.
If this fix will not be applied we can assume that external projects that wants to be "vulnerability safe" having h2o-core as dependency will have to exclude the log4j transitive dependency and inject the reload4j module in the classpath.
Let me know what you think about it.
Thanks
Any updates on this topic?
@occhioni-esteco no updates yet - we are currently not investigating this option