[jira] [Commented] (NIFI-9474) Upgrade Log4j 2 to 2.15.0

Thu, 16 Dec 2021 09:23:35 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFI-9474?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17460891#comment-17460891
 ] 

Joe Witt commented on NIFI-9474:
--------------------------------

[~wesley.philip] We don't have confirmed expoitable exposure but we have the 
log4shell impacted libs and related impacted libs of the logging world in 
various nifi releaes.  So we focused on closing the holes real or imagined as 
the risk of just saying "we are safe" was higher than the cost of just making 
sure.

https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.15.1


> Upgrade Log4j 2 to 2.15.0
> -------------------------
>
>                 Key: NIFI-9474
>                 URL: https://issues.apache.org/jira/browse/NIFI-9474
>             Project: Apache NiFi
>          Issue Type: Improvement
>            Reporter: Pierre Villard
>            Assignee: Bryan Bende
>            Priority: Major
>              Labels: security
>             Fix For: 1.16.0, 1.15.1
>
>          Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> Following NIFI-9283, upgrade Log4j to 2.15.0 wherever possible.
> This is in light of the recent announcement for 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
> We do not believe we use log4j 2 in any way that exposes the vulnerability 
> but we'll update beyond the version anyway.  We still need to fix the 
> following so I reopened the JIRA
> ./nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-nar/target/classes/META-INF/bundled-dependencies/log4j-api-2.13.3.jar
> ./nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-nar/target/classes/META-INF/bundled-dependencies/log4j-core-2.13.3.jar
> ./nifi-registry/nifi-registry-core/nifi-registry-web-api/target/nifi-registry-web-api-1.16.0-SNAPSHOT/WEB-INF/lib/log4j-to-slf4j-2.14.1.jar
> ./nifi-registry/nifi-registry-core/nifi-registry-web-api/target/nifi-registry-web-api-1.16.0-SNAPSHOT/WEB-INF/lib/log4j-api-2.14.1.jar
> ./nifi-registry/nifi-registry-toolkit/nifi-registry-toolkit-assembly/target/nifi-registry-toolkit-1.16.0-SNAPSHOT-bin/nifi-registry-toolkit-1.16.0-SNAPSHOT/lib/log4j-to-slf4j-2.14.1.jar
> ./nifi-registry/nifi-registry-toolkit/nifi-registry-toolkit-assembly/target/nifi-registry-toolkit-1.16.0-SNAPSHOT-bin/nifi-registry-toolkit-1.16.0-SNAPSHOT/lib/log4j-api-2.14.1.jar



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to