title: “Apache projects affected by log4j CVE-2021-44228” author: Mark Cox, VP Security date: 2021-12-14 description: This entry is where we will collect links to statements provided by ASF projects on if they are affected by CVE-2021-44228, the security issue in Log4j2.

Apache AntNot Affected, a deprecated module uses log4j 1.x
Apache ArchivaAffected, release 2.2.6 will address this
Apache AsterixDBAffected, fixed in
Apache Calcite AvaticaAffected, update to 1.20.0
Apache CamelNot affected
Apache CloudStackNot Affected
Apache DruidAffected, update to 0.22.1
Apache EventMeshAffected
Apache FlinkAffected, fixed in 1.14.2, 1.13.5, 1.12,7, 1.11.6
Apache FortressAffected, update to 2.0.7
Apache GeodeAffected, update to 1.12.6, 1.13.5, 1.14.1
Apache GuacamoleNot Affected
Apache HadoopNot affected, uses log4j 1.x
Apache HiveAffected
Apache HTTP Server (httpd)Not affected
Apache IcebergNot Affected
Apache JamesAffected, update to 3.6.1
Apache JenaAffected, update to 4.3.1
Apache JMeterAffected, update to 5.4.2
Apache JSPWikiAffected, update to 2.11.1
Apache KafkaNot Affected
Apache Log4J 1.2Not Affected, see CVE-2021-4104. Note Log4j 1.x is EOL since 2015.
Apache Log4J 2.xAffected, update to 2.16.0
Apache Log4NetNot affected
Apache LuceneAffected, update to 8.11.1
Apache MavenNot affected, Maven 3.1+ uses lsf4j simple-logger
Apache OFBizAffected, update to 18.12.03
Apache OzoneAffected, update to 1.2.1
Apache POINot affected, only uses log4j-api
Apache SkyWalkingAffected, update to 8.9.1
Apache SlingNot affected
Apache SolrAffected, update to 8.11.1
Apache SparkNot affected, uses log4j 1.x
Apache SubversionNot affected
Apache StrutsAffected
Apache TikaAffected (1.x is not affected as uses log4j 1.x)
Apache TomcatNot Affected
Apache TrafficControlNot affected, used log4j 1.x
Apache UimaNot affected
Apache XMLBeansNot affected, only uses log4j-api
Apache ZooKeeperNot affected, uses log4j 1.x