[jira] [Commented] (NIFI-10475) Update logback-classic to remove Log4j in dependency

David Handermann (Jira) Sat, 10 Sep 2022 08:24:06 -0700


    [ 
https://issues.apache.org/jira/browse/NIFI-10475?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17602721#comment-17602721
 ]


David Handermann commented on NIFI-10475:
-----------------------------------------

Thanks for the reference [~msr1716]. The Test Dependencies section is not 
applicable to runtime usage.

> Update logback-classic to remove Log4j in dependency
> ----------------------------------------------------
>
>                 Key: NIFI-10475
>                 URL: https://issues.apache.org/jira/browse/NIFI-10475
>             Project: Apache NiFi
>          Issue Type: Improvement
>    Affects Versions: 1.16.0, 1.17.0, 1.16.1, 1.16.2
>            Reporter: Mike R
>            Priority: Major
>
> Update logback-classic to 1.4.0 from 1.2.11 to remove the use of a vulnerable 
> log4j version 1.2.17.  There are 4 CVE against the version of log4j including 
> the following which are not found in logback-classic 1.4.0
> [CVE-2022-23305|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305]
> [CVE-2022-23302|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302]
> [CVE-2021-4104|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104]
> [CVE-2019-17571|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (NIFI-10475) Update logback-classic to remove Log4j in dependency

Reply via email to