[jira] [Created] (NIFI-10475) Update logback-classic to remove Log4j in dependency

Mike R (Jira) Sat, 10 Sep 2022 08:10:06 -0700

Mike R created NIFI-10475:
-----------------------------

             Summary: Update logback-classic to remove Log4j in dependency
                 Key: NIFI-10475
                 URL: https://issues.apache.org/jira/browse/NIFI-10475
             Project: Apache NiFi
          Issue Type: Improvement
    Affects Versions: 1.16.2, 1.16.1, 1.17.0, 1.16.0
            Reporter: Mike R



Update logback-classic to 1.4.0 from 1.2.11 to remove the use of a vulnerable 
log4j version 1.2.17.  There are 4 CVE against the version of log4j including 
the following which are not found in logback-classic 1.4.0

[CVE-2022-23305|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305]
[CVE-2022-23302|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302]
[CVE-2021-4104|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104]
[CVE-2019-17571|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (NIFI-10475) Update logback-classic to remove Log4j in dependency

Reply via email to