+1 for migrating to Reload4J. It is binary and configuration compatible with log4j 1 so meets our compatibility guidelines.
If this is an agreeable plan I can make the changes in a PR and we can do a round of new releases. > On Jan 20, 2022, at 10:16 PM, Duo Zhang <zhang...@apache.org> wrote: > > On master we have already migrated to log4j2, but for all other release > lines we are still on log4j1. > > Recently there are several new CVEs for log4j1, so I think we should also > address them for release lines other than master. > > One possible solution is to also migrate log4j2 but use log4j12 bridge to > maintain the compatibility, but we have already known that log4j12 bridge > can not work perfectly with hadoop, as hadoop has some customized log4j1 > appender implementations, which inherit some log4j1 appenders which are not > part of the log4j12 bridge. > > Reload4j is a fork of the log4j1 and has fixed the critical CVEs, so it is > less hurt to replace log4j with reload4j. > > Suggestions are welcomed. > > Thanks. Regards