[ https://issues.apache.org/jira/browse/NIFI-9505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17464166#comment-17464166 ]
Joe Witt commented on NIFI-9505: -------------------------------- Yes log4j libs are being updated to 2.17.0 but more importantly log4j core is out entirely now. https://issues.apache.org/jira/browse/NIFI-9474?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17464159#comment-17464159 > Upgrade Log4j 2 to 2.17.0 > ------------------------- > > Key: NIFI-9505 > URL: https://issues.apache.org/jira/browse/NIFI-9505 > Project: Apache NiFi > Issue Type: Bug > Reporter: David Handermann > Assignee: David Handermann > Priority: Minor > Fix For: 1.16.0, 1.15.2 > > > Log4j 2 version 2.17.0 addresses a potential vulnerability in non-standard > logging configurations using Thread Context Map lookup capabilities, > described in [CVE-2021-45105|https://www.cve.org/CVERecord?id=CVE-2021-45105]. > Although NiFi does not use Log4j 2 for runtime logging, upgrading to version > 2.17.0 avoids potential references to older versions in external components. -- This message was sent by Atlassian Jira (v8.20.1#820001)