Apache projects affected by log4j CVE-2021-44228
This entry is where we will collect links to statements provided by ASF projects on if they are affected by CVE-2021-44228, the security issue in Log4j2.
Project | Status |
---|---|
Apache Ant | Not Affected, a deprecated module uses log4j 1.x |
Apache Archiva | Affected, release 2.2.6 will address this |
Apache AsterixDB | Affected, fixed in 0.9.7.1 |
Apache Calcite Avatica | Affected, update to 1.20.0 |
Apache Camel | Not affected |
Apache CloudStack | Not Affected |
Apache Druid | Affected, update to 0.22.1 |
Apache EventMesh | Affected |
Apache Flink | Affected, fixed in 1.14.2, 1.13.5, 1.12,7, 1.11.6 |
Apache Fortress | Affected, update to 2.0.7 |
Apache Geode | Affected, update to 1.12.6, 1.13.5, 1.14.1 |
Apache Guacamole | Not Affected |
Apache Hadoop | Not affected, uses log4j 1.x |
Apache Hive | Affected |
Apache HTTP Server (httpd) | Not affected |
Apache Iceberg | Not Affected |
Apache James | Affected, update to 3.6.1 |
Apache Jena | Affected, update to 4.3.1 |
Apache JMeter | Affected, update to 5.4.2 |
Apache JSPWiki | Affected, update to 2.11.1 |
Apache Kafka | Not Affected |
Apache Log4J 1.2 | Not Affected, see CVE-2021-4104. Note Log4j 1.x is EOL since 2015. |
Apache Log4J 2.x | Affected, update to 2.16.0 |
Apache Log4Net | Not affected |
Apache Lucene | Affected, update to 8.11.1 |
Apache Maven | Not affected, Maven 3.1+ uses lsf4j simple-logger |
Apache OFBiz | Affected, update to 18.12.03 |
Apache Ozone | Affected, update to 1.2.1 |
Apache POI | Not affected, only uses log4j-api |
Apache SkyWalking | Affected, update to 8.9.1 |
Apache Sling | Not affected |
Apache Solr | Affected, update to 8.11.1 |
Apache Spark | Not affected, uses log4j 1.x |
Apache Subversion | Not affected |
Apache Struts | Affected |
Apache Tika | Affected (1.x is not affected as uses log4j 1.x) |
Apache Tomcat | Not Affected |
Apache TrafficControl | Not affected, used log4j 1.x |
Apache Uima | Not affected |
Apache XMLBeans | Not affected, only uses log4j-api |
Apache ZooKeeper | Not affected, uses log4j 1.x |