[jira] [Commented] (NIFI-9474) Upgrade Log4j 2 to 2.15.0

Wed, 15 Dec 2021 10:33:08 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFI-9474?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17460166#comment-17460166
 ] 

Joe Witt commented on NIFI-9474:
--------------------------------

This being 2.15 isn't good enough.  We've moved to 2.16 already. Plus upgraded 
logbback.  Plus blocked all avenues of reactor usage of old log4j 1.x or old 
log4j 2.x.  It will be in NiFi 1.15.1 which the community is voting on as we 
speak.  Hopefully official bits get pushed tonight.  Please help review the 
vote.

> Upgrade Log4j 2 to 2.15.0
> -------------------------
>
>                 Key: NIFI-9474
>                 URL: https://issues.apache.org/jira/browse/NIFI-9474
>             Project: Apache NiFi
>          Issue Type: Improvement
>            Reporter: Pierre Villard
>            Assignee: Bryan Bende
>            Priority: Major
>              Labels: security
>             Fix For: 1.16.0, 1.15.1
>
>          Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> Following NIFI-9283, upgrade Log4j to 2.15.0 wherever possible.
> This is in light of the recent announcement for 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
> We do not believe we use log4j 2 in any way that exposes the vulnerability 
> but we'll update beyond the version anyway.  We still need to fix the 
> following so I reopened the JIRA
> ./nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-nar/target/classes/META-INF/bundled-dependencies/log4j-api-2.13.3.jar
> ./nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-nar/target/classes/META-INF/bundled-dependencies/log4j-core-2.13.3.jar
> ./nifi-registry/nifi-registry-core/nifi-registry-web-api/target/nifi-registry-web-api-1.16.0-SNAPSHOT/WEB-INF/lib/log4j-to-slf4j-2.14.1.jar
> ./nifi-registry/nifi-registry-core/nifi-registry-web-api/target/nifi-registry-web-api-1.16.0-SNAPSHOT/WEB-INF/lib/log4j-api-2.14.1.jar
> ./nifi-registry/nifi-registry-toolkit/nifi-registry-toolkit-assembly/target/nifi-registry-toolkit-1.16.0-SNAPSHOT-bin/nifi-registry-toolkit-1.16.0-SNAPSHOT/lib/log4j-to-slf4j-2.14.1.jar
> ./nifi-registry/nifi-registry-toolkit/nifi-registry-toolkit-assembly/target/nifi-registry-toolkit-1.16.0-SNAPSHOT-bin/nifi-registry-toolkit-1.16.0-SNAPSHOT/lib/log4j-api-2.14.1.jar



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to