Your deployment has vulnerabilities only in case you configured log4j as a logger. Not every deployment require to be secured. Not every deployment requires to use of log4j.
We must change the default logging library if the current is log4j and provide the ability to use log4j as before (where it is required) but with a warning, I think. On Mon, Feb 28, 2022 at 3:55 PM Sergei Ryzhov <s.vi.ryz...@gmail.com> wrote: > Hello, Igniters. > > log4j 1.2.17 is not supported and contains critical vulnerabilities > I suggest excluding log4j 1.2.17 and module ignite-log4j from ignite[1]. > > Direct vulnerabilities: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 > > WDYT? > > [1] https://issues.apache.org/jira/browse/IGNITE-16626 > > -- > Best regards, > Sergei Ryzhov >
