[
https://issues.apache.org/jira/browse/ZOOKEEPER-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17482318#comment-17482318
]
swxEmily commented on ZOOKEEPER-4427:
-------------------------------------
Hello Team,
Apache Log4j1.x reported CVE-2022-23302/23305/23307 three vulnerabilities, how
about migration to log4j2 or logback?
> Migrate to Logback
> ------------------
>
> Key: ZOOKEEPER-4427
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4427
> Project: ZooKeeper
> Issue Type: Improvement
> Components: other
> Affects Versions: 3.8
> Reporter: Andor Molnar
> Assignee: Andor Molnar
> Priority: Major
> Labels: log4j, logback, logging, pull-request-available
> Fix For: 3.8.0
>
> Time Spent: 5.5h
> Remaining Estimate: 0h
>
> Due to the recent issues with log4j2 the migration for another logging
> library has come up again. Although log4j1 is not impacted by the
> vulnerability, the upgrade to log4j2 was abandoned multiple times in ZK
> history.
> I suggest now to migrate to {{logback}} which is also a well-maintained and
> mature project as well as it's much easier to migrate from log4j1.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
