This has already been addressed via ARTEMIS-3612 [1]. Version 2.21.0 is in the voting process now.
Justin [1] https://issues.apache.org/jira/browse/ARTEMIS-3612 On Sat, Mar 26, 2022 at 4:08 PM Steigerwald, Aaron <asteigerw...@brandesassociates.com.invalid> wrote: > Hello, > > Hopefully this hasn't already been addressed. I couldn't find it if it has. > > The console.war file starting with Artemis 2.17.0 contains a newer version > of HawtIO. It contains WEB-INF\lib\log4j-1.2.17.jar, which some security > scanners have a problem with because it's end of life. Are there any plans > to update it to log4j 2.x, or at least use the log4j "1.x to 2.x" bridge > JAR described here: > https://logging.apache.org/log4j/2.x/manual/migration.html#Log4j1.2Bridge? > I've replaced it with the following files and it appears to work without > issue: > > WEB-INF\lib\log4j-1.2-api-2.17.2.jar > WEB-INF\lib\log4j-api-2.17.2.jar > WEB-INF\lib\log4j-core-2.17.2.jar > > I will continue to do this until WEB-INF\lib\log4j-1.2.17.jar is removed > from the distribution. It still exists in the Artemis 2.20.0 distribution. > > Thank you, > Aaron Steigerwald >
