Hi All , According to latest mitigation plan from Log4J - (https://logging.apache.org/log4j/2.x/security.html) Java 8 (or later) users should upgrade to release 2.16.0. However NIFI community discussion ( https://www.mail-archive.com/issues@nifi.apache.org/msg126427.html ) Following NIFI-9283, upgrade Log4j to 2.15.0 wherever possible.
Can you please clarify further ? Thanks & Regards, Ganesh.B -----Original Message----- From: Joe Witt <joe.w...@gmail.com> Sent: Tuesday, December 14, 2021 10:16 PM To: dev@nifi.apache.org Subject: Re: Log4j Vunrability Bcc'ing you Martin Yes of course we're very in tuned to what is happening. The convenience binary we sent doesn't contain log4j impacted libs. But some of the nars we publish that people can use do. We also do not use log4j directly as we use slf4j. But we're not certain that every possible avenue of this is shut down so we're treating this as if we must replace it entirely. To that end we are releasing Apache NiFi 1.15.1 and doing so in urgent timeline. There have been issues with the release process presumably due to Apache being under so much load. But we're on it. Hopefully vote today/release up/available tomorrow. TBD Thanks On Tue, Dec 14, 2021 at 9:40 AM Haris Javaid <haris.jav...@toronto.ca> wrote: > > Hi there, > I am sure you guys are aware of the recently found log4j > vulnerability. I am curious to know if its required for us Nifi users > to take some action. Please let me know > > Thanks, > H