Tahir Please read: https://exceptionfactory.com/posts/2021/12/14/evaluating-log4shell-and-apache-nifi/
We aren't advocating any mitigations officially at this point as things have evolved rapidly. Further as the blog shows you could simply delete nars listed if those aren't central to your flow's operation and restart and then you have zero instances of these. In any event we're releasing Apache NiFI 1.15.1 as we speak. Bits hopefully available by this evening. In that you will have logbacks latest (for a vulnerability they just announced), log4j 2.16 (for the vulnerabilities they have announced), and we block all other forms of log4j 1.x/2.x in the maven reactor for other vulnerabilities announced. It should be a pretty complete state. Furthermore, your versions listed show you're using a vendor release of the product. You should work with that vendor if you need patches to that. Thanks Joe On Wed, Dec 15, 2021 at 11:52 AM Tahir Khan <tahir.k...@gm.com> wrote: > > Hi, > We are on NiFi 1.12.1. > Our security team have notified us about the log4j vulnerability from the > below jars: > > /disk-5/nifi/work/nar/extensions/nifi-elasticsearch-client-service-nar-1.12.1.nar-unpacked/NAR-INF/bundled-dependencies/log4j-api-2.11.1.jar > /disk-5/nifi/work/nar/extensions/nifi-elasticsearch-client-service-nar-1.12.1.nar-unpacked/NAR-INF/bundled-dependencies/log4j-core-2.11.1.jar > /disk-5/nifi/work/nar/extensions/nifi-elasticsearch-restapi-nar-1.12.1.nar-unpacked/NAR-INF/bundled-dependencies/log4j-api-2.8.2.jar > /disk-5/nifi/work/nar/extensions/nifi-elasticsearch-restapi-nar-1.12.1.nar-unpacked/NAR-INF/bundled-dependencies/log4j-core-2.13.3.jar > /disk-5/nifi/work/nar/extensions/nifi-elasticsearch-client-service-nar-1.12.1.nar-unpacked/NAR-INF/bundled-dependencies/log4j-api-2.11.1.jar > /disk-5/nifi/work/nar/extensions/nifi-elasticsearch-client-service-nar-1.12.1.nar-unpacked/NAR-INF/bundled-dependencies/log4j-core-2.11.1.jar > /disk-5/nifi/work/nar/extensions/nifi-hive3-nar-1.7.0.3.2.0.0-520.nar-unpacked/NAR-INF/bundled-dependencies/log4j-api-2.10.0.jar > /disk-5/nifi/work/nar/extensions/nifi-hive3-nar-1.7.0.3.2.0.0-520.nar-unpacked/NAR-INF/bundled-dependencies/log4j-core-2.10.0.jar > > What are the ways of mitigating this vulnerability? > Appreciate the help! > Thanks > > > Nothing in this message is intended to constitute an electronic signature > unless a specific statement to the contrary is included in this message. > > Confidentiality Note: This message is intended only for the person or entity > to which it is addressed. It may contain confidential and/or privileged > material. Any review, transmission, dissemination or other use, or taking of > any action in reliance upon this message by persons or entities other than > the intended recipient is prohibited and may be unlawful. If you received > this message in error, please contact the sender and delete it from your > computer.
