Notes on Apache Log4j Zero Day (CVE-2021-44228)

less than 1 minute read

Apache RocketMQ is not affected by this CVE-2021-44228.

  • Apache RocketMQ does not depend on log4j2 actually, although there are imports in the pom file.
  • Apache RocketMQ’s broker depends on the logback,and RocketMQ’s client depends on log4j2, but its dependency scope is test, and the related dependencies have been deleted in this PR #3635 .
  • Apache RocketMQ’s logappender depends on log4j2, but it is optional, Therefore, the release file does not contain log4j2 related dependencies.
  • Apache RocketMQ still bumped up the log4j2 version in PRs #3621 #3623, and developers can cherry-pick related PRs to your private repo to deal with code scanning, and we expect RocketMQ 4.9.3 to be released in the next 1-2 weeks.



Leave a Comment