---
layout: post
status: PUBLISHED
published: true
title: Apache projects affected by log4j CVE-2021-44228
id: 6702dfde-d259-4c74-959a-11f1075051a9
date: '2021-12-14 13:16:55 -0500'
categories: security
tags:
- cve
permalink: security/entry/cve-2021-44228
---
<p>This entry is where we will collect links to statements provided by ASF projects on if they are affected by <a href="https://www.cve.org/CVERecord?id=CVE-2021-44228">CVE-2021-44228</a>, the security issue in Log4j2.  </p>
<table>
<thead>
<tr>
<th>Project</th>
<th>Status</th>
</tr>
</thead>
<tbody>
<tr>
<td>Apache Ant</td>
<td>Not Affected, a deprecated module uses log4j 1.x</td>
</tr>
<tr>
<td>Apache Archiva</td>
<td><a href="https://lists.apache.org/thread/bmvhs0jxhf4vxcjxyhozm058pchykcqx">Affected, release 2.2.6 will address this</a></td>
</tr>
<tr>
<td>Apache AsterixDB</td>
<td><a href="https://mail-archives.apache.org/mod_mbox/asterixdb-dev/202112.mbox/%3CCAKMqrgdCtD-zdjevomWdEv8ADcjH_2_235UoN3ZBk6x1uQ2jMA%40mail.gmail.com%3E">Affected, fixed in 0.9.7.1</a></td>
</tr>
<tr>
<td>Apache Calcite Avatica</td>
<td><a href="https://lists.apache.org/thread/3vn3j4fmr2dn9s0x1604pdxz7x4fo8wz">Affected, update to 1.20.0</a></td>
</tr>
<tr>
<td>Apache Camel</td>
<td><a href="https://camel.apache.org/blog/2021/12/log4j2/">Not affected</a></td>
</tr>
<tr>
<td>Apache CloudStack</td>
<td><a href="https://blogs.apache.org/cloudstack/entry/log4jshell">Not Affected</a></td>
</tr>
<tr>
<td>Apache Druid</td>
<td><a href="https://lists.apache.org/thread/pzk9x1mw8tq79nzkhbtgbtk940jwbxzy">Affected, update to 0.22.1</a></td>
</tr>
<tr>
<td>Apache EventMesh</td>
<td><a href="https://github.com/apache/incubator-eventmesh/pull/643">Affected</a></td>
</tr>
<tr>
<td>Apache Flink</td>
<td><a href="https://flink.apache.org/news/2021/12/16/log4j-patch-releases.html">Affected, fixed in 1.14.2, 1.13.5, 1.12,7, 1.11.6</a></td>
</tr>
<tr>
<td>Apache Fortress</td>
<td><a href="http://mail-archives.apache.org/mod_mbox/directory-fortress/202112.mbox/%3CD0012A8E-8F77-498C-ADEE-6C1C06B37E01%40apache.org%3E">Affected, update to 2.0.7</a></td>
</tr>
<tr>
<td>Apache Geode</td>
<td><a href="https://lists.apache.org/thread/3ygshx7ph1wt1b0wddvz40qfboskpmwx">Affected, update to 1.12.6, 1.13.5, 1.14.1</a></td>
</tr>
<tr>
<td>Apache Guacamole</td>
<td><a href="https://issues.apache.org/jira/projects/GUACAMOLE/issues/GUACAMOLE-1474">Not Affected</a></td>
</tr>
<tr>
<td>Apache Hadoop</td>
<td>Not affected, uses log4j 1.x</td>
</tr>
<tr>
<td>Apache Hive</td>
<td><a href="https://issues.apache.org/jira/browse/HIVE-25795">Affected</a></td>
</tr>
<tr>
<td>Apache HTTP Server (httpd)</td>
<td>Not affected</td>
</tr>
<tr>
<td>Apache Iceberg</td>
<td><a href="https://github.com/apache/iceberg/issues/3710">Not Affected</a></td>
</tr>
<tr>
<td>Apache James</td>
<td><a href="https://lists.apache.org/thread/5nyq6dqszhrmzsjg7bhmw7hd4m5rs7h6">Affected, update to 3.6.1</a></td>
</tr>
<tr>
<td>Apache Jena</td>
<td><a href="https://lists.apache.org/thread/pgz3roryymvw6lf5zs43m0f8p48o11s7">Affected, update to 4.3.1</a></td>
</tr>
<tr>
<td>Apache JMeter</td>
<td><a href="https://lists.apache.org/thread/0qjqgpxqhwho8vfvhq0x8xom3zjkl9kd">Affected, update to 5.4.2</a></td>
</tr>
<tr>
<td>Apache JSPWiki</td>
<td><a href="https://lists.apache.org/thread/yb2t0so290mfjh9d0ct38b9x5k0yq04b">Affected, update to 2.11.1</a></td>
</tr>
<tr>
<td>Apache Kafka</td>
<td><a href="https://kafka.apache.org/cve-list">Not Affected</a></td>
</tr>
<tr>
<td>Apache Log4J 1.2</td>
<td><a href="https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx">Not Affected, see CVE-2021-4104</a>. Note Log4j 1.x is EOL since 2015.</td>
</tr>
<tr>
<td>Apache Log4J 2.x</td>
<td><a href="https://logging.apache.org/log4j/2.x/security.html">Affected, update to 2.16.0</a></td>
</tr>
<tr>
<td>Apache Log4Net</td>
<td>Not affected</td>
</tr>
<tr>
<td>Apache Lucene</td>
<td><a href="https://lists.apache.org/thread/065766dldbv7o37cxopy2w41xws5mffb">Affected, update to 8.11.1</a></td>
</tr>
<tr>
<td>Apache Maven</td>
<td>Not affected, Maven 3.1+ uses lsf4j simple-logger</td>
</tr>
<tr>
<td>Apache OFBiz</td>
<td><a href="https://ofbiz.apache.org/release-notes-18.12.03.html">Affected, update to 18.12.03</a></td>
</tr>
<tr>
<td>Apache Ozone</td>
<td><a href="https://github.com/apache/ozone/releases/tag/ozone-1.2.1-RC0">Affected, update to 1.2.1</a></td>
</tr>
<tr>
<td>Apache POI</td>
<td><a href="https://markmail.org/message/y7gn2ndow5ltepkh">Not affected, only uses log4j-api</a></td>
</tr>
<tr>
<td>Apache SkyWalking</td>
<td><a href="https://github.com/apache/skywalking/blob/8.9.1/CHANGES.md">Affected, update to 8.9.1</a></td>
</tr>
<tr>
<td>Apache Sling</td>
<td><a href="https://lists.apache.org/thread/9vodf0cbn2nlo8jqbbt1v7lvs6ml3nrx">Not affected</a></td>
</tr>
<tr>
<td>Apache Solr</td>
<td><a href="https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228">Affected, update to 8.11.1</a></td>
</tr>
<tr>
<td>Apache Spark</td>
<td><a href="https://issues.apache.org/jira/browse/SPARK-37630">Not affected, uses log4j 1.x</a></td>
</tr>
<tr>
<td>Apache Subversion</td>
<td>Not affected</td>
</tr>
<tr>
<td>Apache Struts</td>
<td><a href="https://struts.apache.org/announce-2021#a20211212-2">Affected</a></td>
</tr>
<tr>
<td>Apache Tika</td>
<td><a href="https://lists.apache.org/thread/tbpbtzdt1moqpm5b4ftf3pgwyq9vbq5z">Affected</a> (1.x is not affected as uses log4j 1.x)</td>
</tr>
<tr>
<td>Apache Tomcat</td>
<td><a href="https://mail-archives.apache.org/mod_mbox/www-announce/202112.mbox/%3c028d1058-2e48-f72c-2037-2070d73b7411@apache.org%3e">Not Affected</a></td>
</tr>
<tr>
<td>Apache TrafficControl</td>
<td><a href="https://github.com/apache/trafficcontrol/pull/6390">Not affected, used log4j 1.x</a></td>
</tr>
<tr>
<td>Apache Uima</td>
<td><a href="https://uima.apache.org/security_report">Not affected</a></td>
</tr>
<tr>
<td>Apache XMLBeans</td>
<td><a href="https://markmail.org/message/y7gn2ndow5ltepkh">Not affected, only uses log4j-api</a></td>
</tr>
<tr>
<td>Apache ZooKeeper</td>
<td>Not affected, uses log4j 1.x</td>
</tr>
</tbody>
</table>