Hi,
One of the Zookeeper 3.5.6 dependencies is: log4j > log4j 1.2.17 However, Log4j 1.x had reached end of life according to https://logging.apache.org/log4j/1.2/ and also it has a security vulnerability: CVE-2019-17571 has been identified against Log4j 1. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be exploited. Since Log4j 1 is no longer maintained this issue will not be fixed. Users are urged to upgrade to Log4j 2. Is there any plan to upgrade to log4j 2.x? or will it work if we just replace with log4j 2 jars? Thanks, Daniel
