thanks. sigh. On Fri, Jan 21, 2022 at 12:57 PM Nicholas Nezis <[email protected]> wrote:
> I've created a Github issue here: > https://github.com/apache/incubator-heron/issues/3762 > > On Fri, Jan 21, 2022 at 3:54 PM Nicholas Nezis <[email protected]> > wrote: > > > There is a log4j 1.x -> 2.x migration guide. > > https://logging.apache.org/log4j/2.x/manual/migration.html > > > > They provide a bridge adapter that might help. I was planning to add that > > dependency and set an explicit 2.17.1 log4j dependency and see if it > works. > > > > On Wed, Jan 19, 2022 at 9:22 PM Josh Fischer <[email protected]> > wrote: > > > >> Hi Windham, > >> > >> Do you have any idea of the level of complexity for us to upgrade log4j? > >> > >> On Tue, Jan 18, 2022 at 7:30 PM Windham Wong @ StormEye.io < > >> [email protected]> wrote: > >> > >> > We got another Log4j critical issue here.. > >> > > >> > Regards J, > >> > *Windham Wong* > >> > OSWE, OSCP, GCIA, Specialist in Cybersecurity > >> > Co-Founder, Managing Partner of > >> > *Stormeye.io, Hong Kong Managed Security Operation Center Limited* > >> > Specialist in Cybersecurity, Log Management and SIEM System > >> > <https://www.stormeye.io> > >> > Email // [email protected] > >> > Phone // +852_3590_2212_|_+852_9832_0707 <tel:+85235902212> > >> > Fax // +852_3590_2202 <tel:+852_3590_2202> > >> > > >> > > >> > > >> > -------- Forwarded Message -------- > >> > Subject: [oss-security] CVE-2022-23307: Apache Log4j 1.x: A > >> > deserialization flaw in the Chainsaw component of Log4j 1 can lead to > >> > malicious code execution. > >> > Date: Tue, 18 Jan 2022 14:42:56 +0000 > >> > From: Ralph Goers <[email protected]> > >> > Reply-To: [email protected] > >> > To: [email protected] > >> > > >> > > >> > > >> > Severity: Critical > >> > > >> > Description: > >> > > >> > CVE-2020-9493 identified a deserialization issue that was present in > >> > Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of > >> > Apache Log4j 1.2.x where the same issue exists. > >> > > >> > Mitigation: > >> > > >> > Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0. > >> > > >> > Credit: > >> > > >> > @kingkk > >> > > >> > > >
