[jira] [Resolved] (NIFI-10475) Update logback-classic to remove Log4j in dependency

Mike R (Jira) Sat, 10 Sep 2022 08:22:04 -0700


     [ 
https://issues.apache.org/jira/browse/NIFI-10475?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Mike R resolved NIFI-10475.
---------------------------
    Resolution: Later

> Update logback-classic to remove Log4j in dependency
> ----------------------------------------------------
>
>                 Key: NIFI-10475
>                 URL: https://issues.apache.org/jira/browse/NIFI-10475
>             Project: Apache NiFi
>          Issue Type: Improvement
>    Affects Versions: 1.16.0, 1.17.0, 1.16.1, 1.16.2
>            Reporter: Mike R
>            Priority: Major
>
> Update logback-classic to 1.4.0 from 1.2.11 to remove the use of a vulnerable 
> log4j version 1.2.17.  There are 4 CVE against the version of log4j including 
> the following which are not found in logback-classic 1.4.0
> [CVE-2022-23305|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305]
> [CVE-2022-23302|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302]
> [CVE-2021-4104|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104]
> [CVE-2019-17571|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Resolved] (NIFI-10475) Update logback-classic to remove Log4j in dependency

Reply via email to