That’s a good summary, thanks. For people who do use log4j2 with Ignite, this is the best public summary I’ve seen so far:
https://www.gridgain.com/resources/blog/what-you-need-know-about-log4j-vulnerabilities-apache-ignite-and-gridgain In summary, there are immediate mitigations you can apply and there should be new releases shortly that incorporate the fixed version of log4j2. > On 15 Dec 2021, at 22:23, John Smith <java.dev....@gmail.com> wrote: > > So far I haven't seen anyone ask about the issue here in the lists. So I'll > give it a go. > > I'm personally using 2.8.1 > > 1- If we are running as a service using .DEB or .RPM or other linux packages: > The default logging is JUL so nothing to worry about. > 2- If we aren' t specifically enabling the ignite-log4j2 module by copying it > to the libs folder: Also nothing to worry about. > 3- If we are not specifically enabling log4j2 in XML config or through JAVA > code: Also nothing to worry about. > 4- If we are not pulling the ignite-log4j2 dependency with maven/gradle: Also > nothing to worry about. > 5- On the client side (client = true). We pull ignite-slf4j + use > logback-classic + logback-core: Also nothing to worry about. > > Strictly speaking from Ignite's side, if external dependencies pull log4j2 > dependency so long we don't explicitly enable any Ignite log4j2 config we are > ok as well.
