Has anybody ever configured logback via JMX? Is this genuinely used by somebody frequently enough that this has to be enabled by default? Was that introduced as "nice to have" or what was the reasoning behind it?
Because we are striving to have as much smooth experience as possible hopping from one minor release to another, that tells me to not remove this, especially when, as you said, it does not represent something which is exploitable. Apache Cassandra has its own CVE / vulnerabilities check, under "ant dependency-check" target where non-exploitable CVEs are suppressed. It is disappointing to see that users are deploying their own custom solutions for security scanning of dependencies and they do not count on the Cassandra community to evaluate the impact of each CVE which they suppressed if not applicable. On Fri, Jan 16, 2026 at 10:38 AM Michael Morris <[email protected]> wrote: > > I created a PR a while ago to hopefully drop back CASSANDRA-20429 to > cassandra-5.0, see https://github.com/apache/cassandra/pull/4432. > There was an initial discussion in this thread: > https://lists.apache.org/thread/757n89p9j3mfqdmlohm6gxtx1zjtjqbz. > Id like to raise this again to see if we can progress. > > To summarize the concern Štefan raised in the above thread: > Logback 1.2 included a feature whereby if you include <jmxConfigurator/> > in the logback.xml file, you could make changes to the logback > configuration through JMX. This feature was removed in logback 1.3/1.4 > due to security issues and lack of use and a warning message will now be > generated if that element is included in the logback.xml. > The default cassandra logback.xml file contains this element. The PR > removes the element from the default logback.xml as part of the changes > to upgrade to logback 1.5 as it is no longer useful and would result in > warning messages being generated. However, if someone was to use a > logback.xml from an older cassandra version, then they will get warning > messages in the logs on cassandra start up. If this scenario arises the > user can remove <jmxConfigurator/> from their logback.xml and the > warning messages will no longer be generated. > > It would be great to get agreement if people are happy to proceed with > this dropback >
