[jira] [Commented] (NIFI-9505) Upgrade Log4j 2 to 2.17.0

Joe Witt (Jira) Wed, 22 Dec 2021 15:25:07 -0800


    [ 
https://issues.apache.org/jira/browse/NIFI-9505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17464166#comment-17464166
 ]


Joe Witt commented on NIFI-9505:
--------------------------------

Yes log4j libs are being updated to 2.17.0 but more importantly log4j core is 
out entirely now.

https://issues.apache.org/jira/browse/NIFI-9474?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17464159#comment-17464159



> Upgrade Log4j 2 to 2.17.0
> -------------------------
>
>                 Key: NIFI-9505
>                 URL: https://issues.apache.org/jira/browse/NIFI-9505
>             Project: Apache NiFi
>          Issue Type: Bug
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Minor
>             Fix For: 1.16.0, 1.15.2
>
>
> Log4j 2 version 2.17.0 addresses a potential vulnerability in non-standard 
> logging configurations using Thread Context Map lookup capabilities, 
> described in [CVE-2021-45105|https://www.cve.org/CVERecord?id=CVE-2021-45105].
> Although NiFi does not use Log4j 2 for runtime logging, upgrading to version 
> 2.17.0 avoids potential references to older versions in external components.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (NIFI-9505) Upgrade Log4j 2 to 2.17.0

Reply via email to