[
https://issues.apache.org/jira/browse/NIFI-10475?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17602718#comment-17602718
]
David Handermann commented on NIFI-10475:
-----------------------------------------
The logback-classic dependency does not have any dependencies on log4j, please
review the implementation more closely before linking non-applicable
vulnerabilities.
Version 1.4.0 of logback-classic requires Java 11, so upgrading to 1.4.0 is not
an option while Java 8 is still supported.
> Update logback-classic to remove Log4j in dependency
> ----------------------------------------------------
>
> Key: NIFI-10475
> URL: https://issues.apache.org/jira/browse/NIFI-10475
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 1.16.0, 1.17.0, 1.16.1, 1.16.2
> Reporter: Mike R
> Priority: Major
>
> Update logback-classic to 1.4.0 from 1.2.11 to remove the use of a vulnerable
> log4j version 1.2.17. There are 4 CVE against the version of log4j including
> the following which are not found in logback-classic 1.4.0
> [CVE-2022-23305|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305]
> [CVE-2022-23302|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302]
> [CVE-2021-4104|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104]
> [CVE-2019-17571|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
