--- layout: post status: PUBLISHED published: true title: Apache projects affected by log4j CVE-2021-44228 id: 6702dfde-d259-4c74-959a-11f1075051a9 date: '2021-12-14 13:16:55 -0500' categories: security tags: - cve permalink: security/entry/cve-2021-44228 --- <p>This entry is where we will collect links to statements provided by ASF projects on if they are affected by <a href="https://www.cve.org/CVERecord?id=CVE-2021-44228">CVE-2021-44228</a>, the security issue in Log4j2. </p> <table> <thead> <tr> <th>Project</th> <th>Status</th> </tr> </thead> <tbody> <tr> <td>Apache Ant</td> <td>Not Affected, a deprecated module uses log4j 1.x</td> </tr> <tr> <td>Apache Archiva</td> <td><a href="https://lists.apache.org/thread/bmvhs0jxhf4vxcjxyhozm058pchykcqx">Affected, release 2.2.6 will address this</a></td> </tr> <tr> <td>Apache AsterixDB</td> <td><a href="https://mail-archives.apache.org/mod_mbox/asterixdb-dev/202112.mbox/%3CCAKMqrgdCtD-zdjevomWdEv8ADcjH_2_235UoN3ZBk6x1uQ2jMA%40mail.gmail.com%3E">Affected, fixed in 0.9.7.1</a></td> </tr> <tr> <td>Apache Calcite Avatica</td> <td><a href="https://lists.apache.org/thread/3vn3j4fmr2dn9s0x1604pdxz7x4fo8wz">Affected, update to 1.20.0</a></td> </tr> <tr> <td>Apache Camel</td> <td><a href="https://camel.apache.org/blog/2021/12/log4j2/">Not affected</a></td> </tr> <tr> <td>Apache CloudStack</td> <td><a href="https://blogs.apache.org/cloudstack/entry/log4jshell">Not Affected</a></td> </tr> <tr> <td>Apache Druid</td> <td><a href="https://lists.apache.org/thread/pzk9x1mw8tq79nzkhbtgbtk940jwbxzy">Affected, update to 0.22.1</a></td> </tr> <tr> <td>Apache EventMesh</td> <td><a href="https://github.com/apache/incubator-eventmesh/pull/643">Affected</a></td> </tr> <tr> <td>Apache Flink</td> <td><a href="https://flink.apache.org/news/2021/12/16/log4j-patch-releases.html">Affected, fixed in 1.14.2, 1.13.5, 1.12,7, 1.11.6</a></td> </tr> <tr> <td>Apache Fortress</td> <td><a href="http://mail-archives.apache.org/mod_mbox/directory-fortress/202112.mbox/%3CD0012A8E-8F77-498C-ADEE-6C1C06B37E01%40apache.org%3E">Affected, update to 2.0.7</a></td> </tr> <tr> <td>Apache Geode</td> <td><a href="https://lists.apache.org/thread/3ygshx7ph1wt1b0wddvz40qfboskpmwx">Affected, update to 1.12.6, 1.13.5, 1.14.1</a></td> </tr> <tr> <td>Apache Guacamole</td> <td><a href="https://issues.apache.org/jira/projects/GUACAMOLE/issues/GUACAMOLE-1474">Not Affected</a></td> </tr> <tr> <td>Apache Hadoop</td> <td>Not affected, uses log4j 1.x</td> </tr> <tr> <td>Apache Hive</td> <td><a href="https://issues.apache.org/jira/browse/HIVE-25795">Affected</a></td> </tr> <tr> <td>Apache HTTP Server (httpd)</td> <td>Not affected</td> </tr> <tr> <td>Apache Iceberg</td> <td><a href="https://github.com/apache/iceberg/issues/3710">Not Affected</a></td> </tr> <tr> <td>Apache James</td> <td><a href="https://lists.apache.org/thread/5nyq6dqszhrmzsjg7bhmw7hd4m5rs7h6">Affected, update to 3.6.1</a></td> </tr> <tr> <td>Apache Jena</td> <td><a href="https://lists.apache.org/thread/pgz3roryymvw6lf5zs43m0f8p48o11s7">Affected, update to 4.3.1</a></td> </tr> <tr> <td>Apache JMeter</td> <td><a href="https://lists.apache.org/thread/0qjqgpxqhwho8vfvhq0x8xom3zjkl9kd">Affected, update to 5.4.2</a></td> </tr> <tr> <td>Apache JSPWiki</td> <td><a href="https://lists.apache.org/thread/yb2t0so290mfjh9d0ct38b9x5k0yq04b">Affected, update to 2.11.1</a></td> </tr> <tr> <td>Apache Kafka</td> <td><a href="https://kafka.apache.org/cve-list">Not Affected</a></td> </tr> <tr> <td>Apache Log4J 1.2</td> <td><a href="https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx">Not Affected, see CVE-2021-4104</a>. Note Log4j 1.x is EOL since 2015.</td> </tr> <tr> <td>Apache Log4J 2.x</td> <td><a href="https://logging.apache.org/log4j/2.x/security.html">Affected, update to 2.16.0</a></td> </tr> <tr> <td>Apache Log4Net</td> <td>Not affected</td> </tr> <tr> <td>Apache Lucene</td> <td><a href="https://lists.apache.org/thread/065766dldbv7o37cxopy2w41xws5mffb">Affected, update to 8.11.1</a></td> </tr> <tr> <td>Apache Maven</td> <td>Not affected, Maven 3.1+ uses lsf4j simple-logger</td> </tr> <tr> <td>Apache OFBiz</td> <td><a href="https://ofbiz.apache.org/release-notes-18.12.03.html">Affected, update to 18.12.03</a></td> </tr> <tr> <td>Apache Ozone</td> <td><a href="https://github.com/apache/ozone/releases/tag/ozone-1.2.1-RC0">Affected, update to 1.2.1</a></td> </tr> <tr> <td>Apache POI</td> <td><a href="https://markmail.org/message/y7gn2ndow5ltepkh">Not affected, only uses log4j-api</a></td> </tr> <tr> <td>Apache SkyWalking</td> <td><a href="https://github.com/apache/skywalking/blob/8.9.1/CHANGES.md">Affected, update to 8.9.1</a></td> </tr> <tr> <td>Apache Sling</td> <td><a href="https://lists.apache.org/thread/9vodf0cbn2nlo8jqbbt1v7lvs6ml3nrx">Not affected</a></td> </tr> <tr> <td>Apache Solr</td> <td><a href="https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228">Affected, update to 8.11.1</a></td> </tr> <tr> <td>Apache Spark</td> <td><a href="https://issues.apache.org/jira/browse/SPARK-37630">Not affected, uses log4j 1.x</a></td> </tr> <tr> <td>Apache Subversion</td> <td>Not affected</td> </tr> <tr> <td>Apache Struts</td> <td><a href="https://struts.apache.org/announce-2021#a20211212-2">Affected</a></td> </tr> <tr> <td>Apache Tika</td> <td><a href="https://lists.apache.org/thread/tbpbtzdt1moqpm5b4ftf3pgwyq9vbq5z">Affected</a> (1.x is not affected as uses log4j 1.x)</td> </tr> <tr> <td>Apache Tomcat</td> <td><a href="https://mail-archives.apache.org/mod_mbox/www-announce/202112.mbox/%3c028d1058-2e48-f72c-2037-2070d73b7411@apache.org%3e">Not Affected</a></td> </tr> <tr> <td>Apache TrafficControl</td> <td><a href="https://github.com/apache/trafficcontrol/pull/6390">Not affected, used log4j 1.x</a></td> </tr> <tr> <td>Apache Uima</td> <td><a href="https://uima.apache.org/security_report">Not affected</a></td> </tr> <tr> <td>Apache XMLBeans</td> <td><a href="https://markmail.org/message/y7gn2ndow5ltepkh">Not affected, only uses log4j-api</a></td> </tr> <tr> <td>Apache ZooKeeper</td> <td>Not affected, uses log4j 1.x</td> </tr> </tbody> </table>