Pentaho

Hello,

Hi André,

For Kettle (Pentaho Data Integration) versions 8.3 and 9.4, the specific versions of Log4J included can vary depending on the exact build and any patches applied. However, here are some general guidelines: 

Kettle 8.3: Typically includes Log4J 1.x versions. It’s important to note that Log4J 1.x has known vulnerabilities and is no longer maintained.
Kettle 9.4: Likely includes Log4J 2.x versions, which are more secure and maintained. However, you should verify the exact version to ensure it is free from the critical vulnerabilities identified in Log4J 2.x (e.g., CVE-2021-44228).
To ensure your installation is secure:

Check the Release Notes: Review the release notes or documentation for the specific versions of Kettle you are using. These documents often list the included libraries and their versions.
Update Log4J: If your current version includes a vulnerable Log4J version, consider updating to the latest Log4J 2.x version. You can manually replace the Log4J library in your installation if needed.
Security Patches: Apply any security patches provided by Pentaho/Hitachi Vantara. They may have released updates specifically to address Log4J vulnerabilities.

Hope this will help you.
Best regards,  GMSocrates
florence023

The current Pentaho 10.2 is your best choice regarding security and vulnerability, including for Log4J.

Pentaho 10.2 does use the most recent version of Log4J. 

See which version is best for you here

Meanwhile I confirm the 9.4 is based on 2.x. Stil I recommend upgrading due to other vulnerabilities, that are being addressed in later versions.