Hello,
we have a security alert regarding usage of log4j since a vulnerability has been identified (Apache log4j Vulnerability CVE-2021-4428: Analysis and Mitigations) on 09/12/2021.
Looking at dremio-os v19 I found that the log4j versions used are concerned based on the LICENSES_FOR_DEPENDENCIES.md files :
|Apache Log4j API |2.13.3 |Apache 2.0 |
|Apache Log4j to SLF4J Adapter |2.13.3 |Apache 2.0 |
Can you confirm whether the log4j libraries used in Dremio are concerned ?
If so are you planning to release a fix or instructions to patch ourselves ?
Thanks & regards