After we have upgraded apm to 1.34.1, we are still seeing vulnerability CVE-2020-9488 showing up in our application scan reports (earlier we were using 1.28.4)
Expected log4j fix version is 2.13.2 but where in apm 1.34.1, it is still having 2.12.4. So are there any plans to increase log4j version or is it the max version that will be supported?
NVD - cve-2020-9488 Fixed in Apache Log4j 2.12.3 and 2.13.1
Please contact your vulnerability scanner vendor and ask them to correct the false positive error
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.