Actually, this is an interesting one: it’s not the top level ignite-log4j module, but a dependency of ignite-rest-http. Why does the REST API have log4j (and slf4j) dependencies at all?
> On 21 Sep 2020, at 10:19, Ilya Kasnacheev <[email protected]> wrote: > > Hello! > > Log4J 1.x does not have any non-vulnerable releases, and Log4J2 is not binary > compatible. > > You can sidestep this by not including ignite-log4j module and instead > resorting to ignite-log4j2. > > Regards, > -- > Ilya Kasnacheev > > > сб, 19 сент. 2020 г. в 01:47, Andrew Story <[email protected] > <mailto:[email protected]>>: > Would it be possible in the next release of Ignite to upgrade the 3rd party > component > /opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar to > log4j-core-2.13.3.jar? > > This component log4j-1.2.17.jar is flagged as having a critical security > vulnerability which is described here: > https://nvd.nist.gov/vuln/detail/CVE-2019-17571 > <https://nvd.nist.gov/vuln/detail/CVE-2019-17571> > > The latest version of this component appears to be 2.13.3 which should > resolve the vulnerability: > https://logging.apache.org/log4j/2.x/download.html > <https://logging.apache.org/log4j/2.x/download.html>. > > Thanks, > > Andrew Story > > > > > -- > Sent from: http://apache-ignite-users.70518.x6.nabble.com/ > <http://apache-ignite-users.70518.x6.nabble.com/>
