受 log4j CVE-2021-44228 影响的 Apache 项目
此条目是 Apache Security Team 在2021 年 12 月 14 日发布,收集 ASF 项目提供的声明的链接,声明是否受 CVE-2021-44228(Log4j2 中的安全问题)的影响。可以根据此条目进行排查。
| Project | Status |
|---|---|
| Apache Ant | Not Affected, a deprecated module uses log4j 1.x |
| Apache Archiva | Affected, release 2.2.6 will address this |
| Apache AsterixDB | Affected, fixed in 0.9.7.1 |
| Apache Calcite Avatica | Affected, update to 1.20.0 |
| Apache Camel | Not affected |
| Apache CloudStack | Not Affected |
| Apache Druid | Affected, update to 0.22.1 |
| Apache EventMesh | Affected |
| Apache Flink | Affected |
| Apache Fortress | Affected, update to 2.0.7 |
| Apache Geode | Affected, update to 1.12.6, 1.13.5, 1.14.1 |
| Apache Guacamole | Not Affected |
| Apache Hadoop | Not affected, uses log4j 1.x |
| Apache Hive | Affected |
| Apache HTTP Server (httpd) | Not affected |
| Apache Iceberg | Not Affected |
| Apache James | Affected, update to 3.6.1 |
| Apache Jena | Affected, update to 4.3.1 |
| Apache JMeter | Affected |
| Apache JSPWiki | Affected, update to 2.11.1 |
| Apache Kafka | Not Affected |
| Apache Log4J 1.2 | Not Affected, see CVE-2021-4104. Note Log4j 1.x is EOL since 2015. |
| Apache Log4J 2.x | Affected, update to 2.16.0 |
| Apache Log4Net | Not affected |
| Apache Lucene | Affected, update to 8.11.1 |
| Apache Maven | Not affected, Maven 3.1+ uses lsf4j simple-logger |
| Apache OFBiz | Affected, update to 18.12.03 |
| Apache Ozone | Affected, update to 1.2.1 |
| Apache POI | Not affected, only uses log4j-api |
| Apache SkyWalking | Affected, update to 8.9.1 |
| Apache Sling | Not affected |
| Apache Solr | Affected, update to 8.11.1 |
| Apache Spark | Not affected, uses log4j 1.x |
| Apache Subversion | Not affected |
| Apache Struts | Affected |
| Apache Tika | Affected (1.x is not affected as uses log4j 1.x) |
| Apache Tomcat | Not Affected |
| Apache TrafficControl | Affected |
| Apache Uima | Not affected |
| Apache XMLBeans | Not affected, only uses log4j-api |
| Apache ZooKeeper | Not affected, uses log4j 1.x |