Dear Nifi team We are in the process of replacing all log4j 2.5 version to 2.17 for current Nifi version nifi-1.9.0-RC2.
Please let us know what's the best way to proceed further it just delete the existing files and replace them with files from below location https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.zip Thanks for your support. Rafi Ahmed O 1-416-338-2158 M 1-416-894-6432 -----Original Message----- From: Joe Witt [mailto:[email protected]] Sent: December 14, 2021 11:46 AM To: [email protected] Subject: Re: Log4j Vunrability Yes of course we're very in tuned to what is happening. The convenience binary we sent doesn't contain log4j impacted libs. But some of the nars we publish that people can use do. We also do not use log4j directly as we use slf4j. But we're not certain that every possible avenue of this is shut down so we're treating this as if we must replace it entirely. To that end we are releasing Apache NiFi 1.15.1 and doing so in urgent timeline. There have been issues with the release process presumably due to Apache being under so much load. But we're on it. Hopefully vote today/release up/available tomorrow. TBD Thanks On Tue, Dec 14, 2021 at 9:40 AM Haris Javaid <[email protected]> wrote: > > Hi there, > I am sure you guys are aware of the recently found log4j > vulnerability. I am curious to know if its required for us Nifi users > to take some action. Please let me know > > Thanks, > H
