This entry is where we will collect links to statements provided by ASF projects on if they are affected by CVE-2021-44228, the security issue in Log4j2.

Project Status
Apache Ant Not Affected, a deprecated module uses log4j 1.x
Apache Archiva Affected, release 2.2.6 will address this
Apache AsterixDB Affected, fixed in 0.9.7.1
Apache Calcite Avatica Affected, update to 1.20.0
Apache Camel Not affected
Apache CloudStack Not Affected
Apache Druid Affected, update to 0.22.1
Apache EventMesh Affected
Apache Flink Affected, fixed in 1.14.2, 1.13.5, 1.12,7, 1.11.6
Apache Fortress Affected, update to 2.0.7
Apache Geode Affected, update to 1.12.6, 1.13.5, 1.14.1
Apache Guacamole Not Affected
Apache Hadoop Not affected, uses log4j 1.x
Apache Hive Affected
Apache HTTP Server (httpd) Not affected
Apache Iceberg Not Affected
Apache James Affected, update to 3.6.1
Apache Jena Affected, update to 4.3.1
Apache JMeter Affected, update to 5.4.2
Apache JSPWiki Affected, update to 2.11.1
Apache Kafka Not Affected
Apache Log4J 1.2 Not Affected, see CVE-2021-4104. Note Log4j 1.x is EOL since 2015.
Apache Log4J 2.x Affected, update to 2.16.0
Apache Log4Net Not affected
Apache Lucene Affected, update to 8.11.1
Apache Maven Not affected, Maven 3.1+ uses lsf4j simple-logger
Apache OFBiz Affected, update to 18.12.03
Apache Ozone Affected, update to 1.2.1
Apache POI Not affected, only uses log4j-api
Apache SkyWalking Affected, update to 8.9.1
Apache Sling Not affected
Apache Solr Affected, update to 8.11.1
Apache Spark Not affected, uses log4j 1.x
Apache Subversion Not affected
Apache Struts Affected
Apache Tika Affected (1.x is not affected as uses log4j 1.x)
Apache Tomcat Not Affected
Apache TrafficControl Not affected, used log4j 1.x
Apache Uima Not affected
Apache XMLBeans Not affected, only uses log4j-api
Apache ZooKeeper Not affected, uses log4j 1.x