受 log4j CVE-2021-44228 影响的 Apache 项目
此条目是 Apache Security Team
在2021 年 12 月 14 日发布,收集 ASF 项目提供的声明的链接,声明是否受 CVE-2021-44228(Log4j2 中的安全问题)的影响。可以根据此条目进行排查。
Project | Status |
---|---|
Apache Ant | Not Affected, a deprecated module uses log4j 1.x |
Apache Archiva | Affected, release 2.2.6 will address this |
Apache AsterixDB | Affected, fixed in 0.9.7.1 |
Apache Calcite Avatica | Affected, update to 1.20.0 |
Apache Camel | Not affected |
Apache CloudStack | Not Affected |
Apache Druid | Affected, update to 0.22.1 |
Apache EventMesh | Affected |
Apache Flink | Affected |
Apache Fortress | Affected, update to 2.0.7 |
Apache Geode | Affected, update to 1.12.6, 1.13.5, 1.14.1 |
Apache Guacamole | Not Affected |
Apache Hadoop | Not affected, uses log4j 1.x |
Apache Hive | Affected |
Apache HTTP Server (httpd) | Not affected |
Apache Iceberg | Not Affected |
Apache James | Affected, update to 3.6.1 |
Apache Jena | Affected, update to 4.3.1 |
Apache JMeter | Affected |
Apache JSPWiki | Affected, update to 2.11.1 |
Apache Kafka | Not Affected |
Apache Log4J 1.2 | Not Affected, see CVE-2021-4104. Note Log4j 1.x is EOL since 2015. |
Apache Log4J 2.x | Affected, update to 2.16.0 |
Apache Log4Net | Not affected |
Apache Lucene | Affected, update to 8.11.1 |
Apache Maven | Not affected, Maven 3.1+ uses lsf4j simple-logger |
Apache OFBiz | Affected, update to 18.12.03 |
Apache Ozone | Affected, update to 1.2.1 |
Apache POI | Not affected, only uses log4j-api |
Apache SkyWalking | Affected, update to 8.9.1 |
Apache Sling | Not affected |
Apache Solr | Affected, update to 8.11.1 |
Apache Spark | Not affected, uses log4j 1.x |
Apache Subversion | Not affected |
Apache Struts | Affected |
Apache Tika | Affected (1.x is not affected as uses log4j 1.x) |
Apache Tomcat | Not Affected |
Apache TrafficControl | Affected |
Apache Uima | Not affected |
Apache XMLBeans | Not affected, only uses log4j-api |
Apache ZooKeeper | Not affected, uses log4j 1.x |