[jira] [Assigned] (MNEMONIC-723) Upgrade log4j version from 1.x to v2 for security vulnerability fixes

Chenyang (Jira) Thu, 24 Feb 2022 21:11:05 -0800


     [ 
https://issues.apache.org/jira/browse/MNEMONIC-723?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Chenyang reassigned MNEMONIC-723:
---------------------------------

    Assignee: Chenyang

> Upgrade log4j version from 1.x to v2 for security vulnerability fixes
> ---------------------------------------------------------------------
>
>                 Key: MNEMONIC-723
>                 URL: https://issues.apache.org/jira/browse/MNEMONIC-723
>             Project: Mnemonic
>          Issue Type: Task
>          Components: Logging
>    Affects Versions: 0.17.0
>            Reporter: Yanhui Zhao
>            Assignee: Chenyang
>            Priority: Critical
>             Fix For: 0.17.0
>
>
> *TLDR:* Apache Log4j 1.x does have vulnerabilities that are unpatched. Many 
> configurations are not impacted by the vulnerabilities by default. Log4j 1.x 
> is EOL so there are no fixed 1.x versions. You can patch the jar files 
> yourself by removing the vulnerable class files. It's not a simple upgrade to 
> go from Log4j 1.x to 2.x in most cases.
>  
> According to the statement above, we need to upgrade our current log4j 
> version from v1.x to v2.x



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Assigned] (MNEMONIC-723) Upgrade log4j version from 1.x to v2 for security vulnerability fixes

Reply via email to