Yanhui Zhao created MNEMONIC-723:
------------------------------------
Summary: Upgrade log4j version from 1.x to v2 for security
vulnerability fixes
Key: MNEMONIC-723
URL: https://issues.apache.org/jira/browse/MNEMONIC-723
Project: Mnemonic
Issue Type: Task
Components: Logging
Affects Versions: 0.17.0
Reporter: Yanhui Zhao
Fix For: 0.17.0
*TLDR:* Apache Log4j 1.x does have vulnerabilities that are unpatched. Many
configurations are not impacted by the vulnerabilities by default. Log4j 1.x is
EOL so there are no fixed 1.x versions. You can patch the jar files yourself by
removing the vulnerable class files. It's not a simple upgrade to go from Log4j
1.x to 2.x in most cases.
According to the statement above, we need to upgrade our current log4j version
from v1.x to v2.x
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
