Hi, Short answer: NiFi 1.15.1 is 100% free of log4j 2.x and the recently discovered vulnerabilities.
Long answer: Older NiFi versions contained a vulnerable version of log4j, but the vulnerability was not exposed through NiFi as far as we're aware, even before 1.15.1. NiFi uses the slf4j API and Logback as the logger implementation. slf4j or Logback themselves are not affected by the recent log4j 2.x vulnerability. - log4j-over-slf4j.jar: This is a bridge that makes dependencies that would otherwise use log4j use slf4j instead. - jul-to-slf4j.jar: This is a java.util.logging handler that routes log messages to slf4j. - slf4j-api.jar: This is slf4j. So to summarise, none of the mentioned JARs are affected, the latest NiFi is safe to use. It is possible that other projects are vulnerable through slf4j if they use the log4j logger implementation and an unpatched log4j version. You can tell that by looking for log4j-slf4j-impl.jar in your installation. NiFi doesn't have that. Thanks, Marton On Fri, 17 Dec 2021 at 07:52, Chahat Madaan <[email protected]> wrote: > > Hi, > > > > As per release notes of NiFi 1.15.1, all the log4j.2.X dependencies has been > upgraded to 2.16. But while deploying the latest NiFi Version, I can see some > older JARs like log4j-over-slf4j-1.7.32.jar, jul-to-slf4j-1.7.32.jar, > slf4j-api-1.7.32.jar. I just want to confirm if they are affected with latest > log4j vulnerability or they are safe to use with latest NiFi Version. > > > > Thanks and Regards > > Chahat Madaan > > +91 844 874 3588 > > > > > > > > From: Chahat Madaan <[email protected]> > Date: Friday, 17 December 2021 at 1:12 PM > To: <[email protected]> > Cc: Snehadeep Vikram <[email protected]> > Subject: Apache NiFi-1.15.1 Older sl4j and log4j jars > > > > Hi, > > > > As per release notes of NiFi 1.15.1, all the log4j.2.X dependencies has been > upgraded to 2.16. But while deploying the lastest NiFi Version, I can see > some older JARs like log4j-over-slf4j-1.7.32.jar, jul-to-slf4j-1.7.32.jar, > slf4j-api-1.7.32.jar. I just want to confirm if they are affected with latest > log4j vulnerability or they are safe to use with lastest NiFi Version. > > > > Thanks and Regards > > Chahat Madaan > > +91 844 874 3588 > > > >
