Not sure if this might affect datahub but just bringing it up in case it does: https://www.lunasec.io/docs/blog/log4j-zero-day/

Just opened a PR: https://github.com/linkedin/datahub/pull/3716

just curious, how do you check which version of log4j is in use previously? (im a gradle n00b here) cos ./gradlew dependencies doesnt show all the packages used in the top-level folder

I'm a noob as well, but what I did was go into the different services and checked manually. Could probably have been automated as well 🙈

I saw this snippet in the top-level build.gradle:

configurations.all {
    exclude group: "io.netty", module: "netty"
    exclude group: "log4j", module: "log4j"
  }

which i assume already excludes log4j, but then again i think i recall seeing log4j:WARN messages inside datahub-gms...? so not sure how to check im not on latest code, but am planning to update to newest soon.

@little-megabyte-1074 There's actually a follow up new vulnerability again. https://nvd.nist.gov/vuln/detail/CVE-2021-45046

Looks like we need another constraint to go to 2.16.0