Skip to main content
Solved

data collector 4.4.1 still using log4j-1.2.17.jar

A
Fan

recently noticed that data collector 4.4.1 is still using the log4j-1.2.17.jar under multiple libraries. is here any plan on addressing this? As the installation of Apache Log4j 1.x is no longer supported and reached EOL in 2015.  Additionally, Log4j 1.x is affected by multiple vulnerabilities,

some of the libs locations

/streamsets-datacollector/api-lib/log4j-1.2.17.jar

/streamsets-datacollector/streamsets-libs/streamsets-datacollector-jdbc-lib/lib/log4j-1.2.17.jar

/streamsets-datacollector/streamsets-libs/streamsets-datacollector-jms-lib/lib/log4j-1.2.17.jar

/streamsets-datacollector/streamsets-libs/streamsets-datacollector-mysql-binlog-lib/lib/log4j-1.2.17.jar

/streamsets-datacollector/streamsets-libs/streamsets-datacollector-rabbitmq-lib/lib/log4j-1.2.17.jar

/streamsets-datacollector/streamsets-libs/streamsets-datacollector-couchbase_5-lib/lib/log4j-1.2.17.jar

 

Best answer by dima

This will be addressed in an upcoming release of StreamSets Data Collector. Stay tuned. 

View original
Did this topic help you find an answer to your question?

3 replies

dima
StreamSets Employee
Forum|alt.badge.img
  • dimaStreamSets Employee
  • StreamSets Employee
  • 83 replies
  • Answer
  • April 9, 2022

This will be addressed in an upcoming release of StreamSets Data Collector. Stay tuned. 

Drew Kreiger
L
2 people like this
  • Drew Kreiger
    Drew Kreiger
  • L
    l3ender
L
Fan
  • l3enderFan
  • Fan
  • 1 reply
  • July 11, 2022

Hello! Is there any update on the usage of log4j in data collector? We’ve deployed 5.0.0 collector and see log4j v1 is still in use (/opt/streamsets-datacollector/streamsets-libs/streamsets-datacollector-sql-server-bdc-lib/lib/log4j-1.2.17.jar).

Thank you!

dima
StreamSets Employee
Forum|alt.badge.img
  • dimaStreamSets Employee
  • StreamSets Employee
  • 83 replies
  • July 12, 2022

Hi @l3ender,

Data Collector 5.0.0 doesn't use any Log4j 1.x libraries. What you’re seeing there is the SQL Server 2019 Big Data Cluster enterprise stage library that's not part of the core Data Collector offering. At this time, I don't have any updates on if or when that particular enterprise stage library will be updated to remove use of Log4j 1.x. 

Reply


Terms & Conditions