ES Hadoop Jar - Potential log4j vulnerability

[ron-flomin]

Issue description

It seems that ES Hadoop jar is dependent on commons-logging (1.1.1) which according to mvnrepository.com has a vulnerabilities from dependencies which one of them is CVE-2021-4104.

Is there any plan to replace this dependency with an updated version which is safe to use?

[masseyke]

Hi @ron-flomin. Thanks for the ticket. We pull in commons-logging from the hadoop environment, so I don't think this directly impacts us. We ought to upgrade our dependencies though, on the off chance that there is a compilation problem with newer versions. So I'll leave this open for that. Let me know if you're seeing something I've missed.