[Feel free to take this offline or out-of-band if this is an inappropriate place to discuss this]
Is there any hotfixing planned as a result of the Log4J zero day going around? Reference: https://www.lunasec.io/docs/blog/log4j-zero-day/ CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 >From what I can tell, Helix seems to be building with https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12/1.7.14 which in turn maps to https://mvnrepository.com/artifact/log4j/log4j/1.2.17 The exploit is more prevalent in the 2.x versions of Log4J, but there are scenarios where 1.x is exploitable and it's been pointed out that 1.x is also end of life and has other vulnerabilities. See: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 Thanks! ~Brent
