https://issues.apache.org/jira/browse/IGNITE-13464
> On 21 Sep 2020, at 11:02, Ilya Kasnacheev <ilya.kasnach...@gmail.com> wrote: > > Hello! > > Good catch! I think you should file a critical level ticket about it. > > Regards, > -- > Ilya Kasnacheev > > > пн, 21 сент. 2020 г. в 12:56, Stephen Darlington > <stephen.darling...@gridgain.com <mailto:stephen.darling...@gridgain.com>>: > Actually, this is an interesting one: it’s not the top level ignite-log4j > module, but a dependency of ignite-rest-http. Why does the REST API have > log4j (and slf4j) dependencies at all? > >> On 21 Sep 2020, at 10:19, Ilya Kasnacheev <ilya.kasnach...@gmail.com >> <mailto:ilya.kasnach...@gmail.com>> wrote: >> >> Hello! >> >> Log4J 1.x does not have any non-vulnerable releases, and Log4J2 is not >> binary compatible. >> >> You can sidestep this by not including ignite-log4j module and instead >> resorting to ignite-log4j2. >> >> Regards, >> -- >> Ilya Kasnacheev >> >> >> сб, 19 сент. 2020 г. в 01:47, Andrew Story <andrewst...@fico.com >> <mailto:andrewst...@fico.com>>: >> Would it be possible in the next release of Ignite to upgrade the 3rd party >> component >> /opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar to >> log4j-core-2.13.3.jar? >> >> This component log4j-1.2.17.jar is flagged as having a critical security >> vulnerability which is described here: >> https://nvd.nist.gov/vuln/detail/CVE-2019-17571 >> <https://nvd.nist.gov/vuln/detail/CVE-2019-17571> >> >> The latest version of this component appears to be 2.13.3 which should >> resolve the vulnerability: >> https://logging.apache.org/log4j/2.x/download.html >> <https://logging.apache.org/log4j/2.x/download.html>. >> >> Thanks, >> >> Andrew Story >> >> >> >> >> -- >> Sent from: http://apache-ignite-users.70518.x6.nabble.com/ >> <http://apache-ignite-users.70518.x6.nabble.com/> > >
