[
https://issues.apache.org/jira/browse/NIFI-10475?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17602720#comment-17602720
]
Mike R commented on NIFI-10475:
-------------------------------
[~exceptionfactory] thanks for the help and information. I'll close the ticket.
Was looking at
[https://mvnrepository.com/artifact/ch.qos.logback/logback-classic/1.2.11]
> Update logback-classic to remove Log4j in dependency
> ----------------------------------------------------
>
> Key: NIFI-10475
> URL: https://issues.apache.org/jira/browse/NIFI-10475
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 1.16.0, 1.17.0, 1.16.1, 1.16.2
> Reporter: Mike R
> Priority: Major
>
> Update logback-classic to 1.4.0 from 1.2.11 to remove the use of a vulnerable
> log4j version 1.2.17. There are 4 CVE against the version of log4j including
> the following which are not found in logback-classic 1.4.0
> [CVE-2022-23305|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305]
> [CVE-2022-23302|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302]
> [CVE-2021-4104|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104]
> [CVE-2019-17571|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
