There is a log4j 1.x -> 2.x migration guide. https://logging.apache.org/log4j/2.x/manual/migration.html
They provide a bridge adapter that might help. I was planning to add that dependency and set an explicit 2.17.1 log4j dependency and see if it works. On Wed, Jan 19, 2022 at 9:22 PM Josh Fischer <[email protected]> wrote: > Hi Windham, > > Do you have any idea of the level of complexity for us to upgrade log4j? > > On Tue, Jan 18, 2022 at 7:30 PM Windham Wong @ StormEye.io < > [email protected]> wrote: > > > We got another Log4j critical issue here.. > > > > Regards J, > > *Windham Wong* > > OSWE, OSCP, GCIA, Specialist in Cybersecurity > > Co-Founder, Managing Partner of > > *Stormeye.io, Hong Kong Managed Security Operation Center Limited* > > Specialist in Cybersecurity, Log Management and SIEM System > > <https://www.stormeye.io> > > Email // [email protected] > > Phone // +852_3590_2212_|_+852_9832_0707 <tel:+85235902212> > > Fax // +852_3590_2202 <tel:+852_3590_2202> > > > > > > > > -------- Forwarded Message -------- > > Subject: [oss-security] CVE-2022-23307: Apache Log4j 1.x: A > > deserialization flaw in the Chainsaw component of Log4j 1 can lead to > > malicious code execution. > > Date: Tue, 18 Jan 2022 14:42:56 +0000 > > From: Ralph Goers <[email protected]> > > Reply-To: [email protected] > > To: [email protected] > > > > > > > > Severity: Critical > > > > Description: > > > > CVE-2020-9493 identified a deserialization issue that was present in > > Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of > > Apache Log4j 1.2.x where the same issue exists. > > > > Mitigation: > > > > Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0. > > > > Credit: > > > > @kingkk > > >
