[ https://issues.apache.org/jira/browse/HBASE-26691?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17479836#comment-17479836 ]
Wei-Chiu Chuang commented on HBASE-26691: ----------------------------------------- The reload4j is a drop-in replacement of log4j1. Although in reality, the shading makes it not so trivial as it sounds... > Replacing log4j with reload4j for branch-2.x > -------------------------------------------- > > Key: HBASE-26691 > URL: https://issues.apache.org/jira/browse/HBASE-26691 > Project: HBase > Issue Type: Task > Components: logging > Reporter: Duo Zhang > Assignee: Duo Zhang > Priority: Critical > Fix For: 2.5.0, 2.4.10 > > > There are several new CVEs for log4j1 now. > As it is not suitable to upgrade to log4j2 for 2.x releases, let's replace > the log4j1 dependencies with reload4j. -- This message was sent by Atlassian Jira (v8.20.1#820001)