Notes on Apache Log4j Zero Day (CVE-2021-44228)
Apache RocketMQ is not affected by this CVE-2021-44228.
- Apache RocketMQ does not depend on log4j2 actually, although there are imports in the pom file.
- Apache RocketMQ’s broker depends on the logback，and RocketMQ’s client depends on log4j2, but its dependency scope is test, and the related dependencies have been deleted in this PR #3635 .
- Apache RocketMQ’s logappender depends on log4j2, but it is optional, Therefore, the release file does not contain log4j2 related dependencies.
- Apache RocketMQ still bumped up the log4j2 version in PRs #3621 #3623, and developers can cherry-pick related PRs to your private repo to deal with code scanning, and we expect RocketMQ 4.9.3 to be released in the next 1-2 weeks.