From 68303ea7f32d8d00064667aee71bccba8e892702 Mon Sep 17 00:00:00 2001
From: zh0122 <zh0122@gmail.com>
Date: Tue, 6 Apr 2021 10:59:40 +0800
Subject: [PATCH] [FE][Bug]Update log4j-web to fix a security issue (#5594)

Fix CVE-2017-5645

In Apache Log4j 2.x before 2.8.2, when using the
TCP socket server or UDP socket server to receive
serialized log events from another application, a
specially crafted binary payload can be sent that,
when deserialized, can execute arbitrary code.

https://www.cvedetails.com/cve/CVE-2017-5645/
---
 fe/fe-core/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fe/fe-core/pom.xml b/fe/fe-core/pom.xml
index ac7e6f841b..9a91ab22cd 100644
--- a/fe/fe-core/pom.xml
+++ b/fe/fe-core/pom.xml
@@ -74,7 +74,7 @@ under the License.
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>
             <artifactId>log4j-web</artifactId>
-            <version>2.7</version>
+            <version>2.14.0</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>