[
https://issues.apache.org/jira/browse/NIFI-9504?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17461979#comment-17461979
]
Joe Witt commented on NIFI-9504:
--------------------------------
was thinking it made sense to knock out log4j 2.17 as well with this
https://logging.apache.org/log4j/2.x/download.html
> Upgrade Logback to 1.2.9
> ------------------------
>
> Key: NIFI-9504
> URL: https://issues.apache.org/jira/browse/NIFI-9504
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework, MiNiFi, NiFi Registry, NiFi Stateless
> Affects Versions: 1.15.0, 1.15.1
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Minor
> Time Spent: 10m
> Remaining Estimate: 0h
>
> [Logback|https://logback.qos.ch/news.html] 1.2.9 includes updates to prevent
> potential code execution in non-standard configurations as described in
> [CVE-2021-42550|https://www.cve.org/CVERecord?id=CVE-2021-42550].
> The default NiFi configuration for Logback does not use these vulnerable
> features, but upgrading to the latest version avoids potential issues.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
