[ https://issues.apache.org/jira/browse/OMID-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17955570#comment-17955570 ]
Istvan Toth commented on OMID-313: ---------------------------------- It's a bit late, but the ticket description is not correct. None of the listed CVEs are related to commons-logging. Replacing commons-logging with org.slf4j:jcl-over-slf4j is good, as it will result in the logs getting correctly processed by the selected logging backed, but this is not a security issue. > Remove commons-logging due to multiple affecting CVEs > ----------------------------------------------------- > > Key: OMID-313 > URL: https://issues.apache.org/jira/browse/OMID-313 > Project: Phoenix Omid > Issue Type: Improvement > Reporter: Norbert Mészáros > Assignee: Norbert Mészáros > Priority: Major > Fix For: 1.1.4 > > > Remove commons-logging due to multiple affecting CVEs > (CVE-2021-37533 CVE-2019-17571 CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 > CVE-2022-23307) -- This message was sent by Atlassian Jira (v8.20.10#820010)