I've created a Github issue here: https://github.com/apache/incubator-heron/issues/3762
On Fri, Jan 21, 2022 at 3:54 PM Nicholas Nezis <[email protected]> wrote: > There is a log4j 1.x -> 2.x migration guide. > https://logging.apache.org/log4j/2.x/manual/migration.html > > They provide a bridge adapter that might help. I was planning to add that > dependency and set an explicit 2.17.1 log4j dependency and see if it works. > > On Wed, Jan 19, 2022 at 9:22 PM Josh Fischer <[email protected]> wrote: > >> Hi Windham, >> >> Do you have any idea of the level of complexity for us to upgrade log4j? >> >> On Tue, Jan 18, 2022 at 7:30 PM Windham Wong @ StormEye.io < >> [email protected]> wrote: >> >> > We got another Log4j critical issue here.. >> > >> > Regards J, >> > *Windham Wong* >> > OSWE, OSCP, GCIA, Specialist in Cybersecurity >> > Co-Founder, Managing Partner of >> > *Stormeye.io, Hong Kong Managed Security Operation Center Limited* >> > Specialist in Cybersecurity, Log Management and SIEM System >> > <https://www.stormeye.io> >> > Email // [email protected] >> > Phone // +852_3590_2212_|_+852_9832_0707 <tel:+85235902212> >> > Fax // +852_3590_2202 <tel:+852_3590_2202> >> > >> > >> > >> > -------- Forwarded Message -------- >> > Subject: [oss-security] CVE-2022-23307: Apache Log4j 1.x: A >> > deserialization flaw in the Chainsaw component of Log4j 1 can lead to >> > malicious code execution. >> > Date: Tue, 18 Jan 2022 14:42:56 +0000 >> > From: Ralph Goers <[email protected]> >> > Reply-To: [email protected] >> > To: [email protected] >> > >> > >> > >> > Severity: Critical >> > >> > Description: >> > >> > CVE-2020-9493 identified a deserialization issue that was present in >> > Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of >> > Apache Log4j 1.2.x where the same issue exists. >> > >> > Mitigation: >> > >> > Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0. >> > >> > Credit: >> > >> > @kingkk >> > >> >
