Fixed Common Vulnerabilities and Exposures — ODP 1.3.1.0
CVE Tracking Policy
Clemlab actively monitors the National Vulnerability Database (NVD) and upstream Apache project security advisories to identify Common Vulnerabilities and Exposures (CVEs) that affect components shipped with ODP. When a CVE is confirmed to affect an ODP component, it is triaged and addressed in the next available maintenance or minor release.
CVE fixes are tracked in the Clemlab GitHub issue tracker with a reference to the upstream ticket and CVE identifier. Users are encouraged to subscribe to release notifications to stay informed of security updates.
Security Improvements in ODP 1.3.1.0
Log4j2 Migration (Oozie)
ODP 1.3.1.0 includes the migration of Apache Oozie from Log4j 1.x to Log4j 2.x, addressing a class of vulnerabilities associated with the legacy Log4j 1.x library, which reached end-of-life and is no longer receiving security patches.
This migration was implemented through the following upstream Oozie JIRAs:
| Issue | Description |
|---|---|
| OOZIE-3135 | Migrate Oozie server logging from Log4j 1.x to Log4j 2.x |
| OOZIE-3137 | Update Oozie client and tools to use Log4j 2.x |
After upgrading to ODP 1.3.1.0, review your oozie-log4j2 configuration in Ambari to ensure any custom appenders or log levels are correctly migrated to the Log4j 2.x format.
Fixed CVEs Table
The following table lists CVEs addressed in ODP 1.3.1.0. Additional CVEs will be documented here as they are confirmed and verified by Clemlab.
| CVE ID | Severity | Component | Description | Fix Version |
|---|---|---|---|---|
| (additional CVEs will be listed here as confirmed) | — | — | — | — |
This table is updated on a best-effort basis. For the most current security information, consult the upstream Apache project security pages and the Clemlab GitHub repository.