Log4j 1.x should generally not be used anymore. Since it is officially not maintained anymore it is very unlikely that someone will report vulnerabilities on it as they won’t be fixed anyway. Best would be to upgrade to latest log4j 2.17 or later.
> Am 18.12.2021 um 23:00 schrieb Rusty Deaton > <rdea...@radiantlogic.com.invalid>: > > Hi there, > > Given that zookeeper uses log4j 1.2, it appears as though there's a > potentially large CVE, https://nvd.nist.gov/vuln/detail/CVE-2021-4104 . > Is there any official stance on this vulnerability?
