On master we have already migrated to log4j2, but for all other release lines we are still on log4j1.
Recently there are several new CVEs for log4j1, so I think we should also address them for release lines other than master. One possible solution is to also migrate log4j2 but use log4j12 bridge to maintain the compatibility, but we have already known that log4j12 bridge can not work perfectly with hadoop, as hadoop has some customized log4j1 appender implementations, which inherit some log4j1 appenders which are not part of the log4j12 bridge. Reload4j is a fork of the log4j1 and has fixed the critical CVEs, so it is less hurt to replace log4j with reload4j. Suggestions are welcomed. Thanks. Regards