[ https://issues.apache.org/jira/browse/NIFI-9474?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17460164#comment-17460164 ]
Wesley Philip commented on NIFI-9474: ------------------------------------- Just wondering when this fix will be released publicly, in a new version of Nifi? > Upgrade Log4j 2 to 2.15.0 > ------------------------- > > Key: NIFI-9474 > URL: https://issues.apache.org/jira/browse/NIFI-9474 > Project: Apache NiFi > Issue Type: Improvement > Reporter: Pierre Villard > Assignee: Bryan Bende > Priority: Major > Labels: security > Fix For: 1.16.0, 1.15.1 > > Time Spent: 1.5h > Remaining Estimate: 0h > > Following NIFI-9283, upgrade Log4j to 2.15.0 wherever possible. > This is in light of the recent announcement for > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 > We do not believe we use log4j 2 in any way that exposes the vulnerability > but we'll update beyond the version anyway. We still need to fix the > following so I reopened the JIRA > ./nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-nar/target/classes/META-INF/bundled-dependencies/log4j-api-2.13.3.jar > ./nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-nar/target/classes/META-INF/bundled-dependencies/log4j-core-2.13.3.jar > ./nifi-registry/nifi-registry-core/nifi-registry-web-api/target/nifi-registry-web-api-1.16.0-SNAPSHOT/WEB-INF/lib/log4j-to-slf4j-2.14.1.jar > ./nifi-registry/nifi-registry-core/nifi-registry-web-api/target/nifi-registry-web-api-1.16.0-SNAPSHOT/WEB-INF/lib/log4j-api-2.14.1.jar > ./nifi-registry/nifi-registry-toolkit/nifi-registry-toolkit-assembly/target/nifi-registry-toolkit-1.16.0-SNAPSHOT-bin/nifi-registry-toolkit-1.16.0-SNAPSHOT/lib/log4j-to-slf4j-2.14.1.jar > ./nifi-registry/nifi-registry-toolkit/nifi-registry-toolkit-assembly/target/nifi-registry-toolkit-1.16.0-SNAPSHOT-bin/nifi-registry-toolkit-1.16.0-SNAPSHOT/lib/log4j-api-2.14.1.jar -- This message was sent by Atlassian Jira (v8.20.1#820001)