[
https://issues.apache.org/jira/browse/MNEMONIC-723?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yanhui Zhao resolved MNEMONIC-723.
----------------------------------
Resolution: Fixed
Done, all subtasks are done
> Upgrade log4j version from 1.x to v2 for security vulnerability fixes
> ---------------------------------------------------------------------
>
> Key: MNEMONIC-723
> URL: https://issues.apache.org/jira/browse/MNEMONIC-723
> Project: Mnemonic
> Issue Type: Task
> Components: Logging
> Affects Versions: 0.17.0
> Reporter: Yanhui Zhao
> Assignee: Yanhui Zhao
> Priority: Critical
> Fix For: 0.17.0
>
>
> *TLDR:* Apache Log4j 1.x does have vulnerabilities that are unpatched. Many
> configurations are not impacted by the vulnerabilities by default. Log4j 1.x
> is EOL so there are no fixed 1.x versions. You can patch the jar files
> yourself by removing the vulnerable class files. It's not a simple upgrade to
> go from Log4j 1.x to 2.x in most cases.
>
> According to the statement above, we need to upgrade our current log4j
> version from v1.x to v2.x
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
