Greg, NiFi 1.15.0 included build configuration updates that excluded all references to Log4j 1 libraries as described in the following Jira issue:
https://issues.apache.org/jira/browse/NIFI-9283 Although previous versions of NiFi included Log4j 1 libraries, NiFi also leveraged hierarchical class-loading and the Log4j to SLF4J bridge library to route runtime Log4j 1 requests to SLF4J and Logback. The following post covers the details of logging library management in NiFi: https://exceptionfactory.com/posts/2021/12/29/managing-logging-libraries-in-apache-nifi/ With that background, there should be no concerns related to Log4j 1 and recent versions of NiFi. As far as ZooKeeper itself, upgrading the client library version is something that will be addressed as part of regular dependency upgrade reviews. Regards, David Handermann On Mon, May 2, 2022 at 9:56 AM Gregory M. Foreman < [email protected]> wrote: > Hello: > > Nifi 1.16.1 included upgrading to zookeeper 3.5.9, which uses log4j 1.2.17 > (NIFI-9955). My client currently has an external zookeeper 3.5.8 deployed, > it uses log4j 1.2.17, and it has been flagged to upgrade due to the log4j > CVE. I originally thought that log4j 1.x versions were not affected, but I > may have over-simplified the logic. Ref: > https://www.petefreitag.com/item/926.cfm (no affiliation). It appears > that zookeeper 3.5.9 is going to EOL in June 2022. Are there plans to > upgrade to zookeeper 3.7.0 or later? > > Thanks, > Greg > > >
