Log4j vulnerability


we have a security alert regarding usage of log4j since a vulnerability has been identified (Apache log4j Vulnerability CVE-2021-4428: Analysis and Mitigations) on 09/12/2021.
Looking at dremio-os v19 I found that the log4j versions used are concerned based on the LICENSES_FOR_DEPENDENCIES.md files :
|Apache Log4j API |2.13.3 |Apache 2.0 |
|Apache Log4j to SLF4J Adapter |2.13.3 |Apache 2.0 |

Can you confirm whether the log4j libraries used in Dremio are concerned ?
If so are you planning to release a fix or instructions to patch ourselves ?

Thanks & regards

1 Like

Yeah, same here. We’d be really happy about an official statement by Dremio about this!

Same for us. We did a scan and we found that Dremio is vulnerable for log4shell. We took down our Dremio instance while waiting for Dremio Team confirmation or a fix


Dremio is not affected by the vulnerability. Here is our security advisory.