Shawn: Thank you, we are going to migrate over to 3.8.0.
David: Thank you for the detailed explanations. Greg > On May 2, 2022, at 11:18 AM, David Handermann <[email protected]> > wrote: > > Greg, > > NiFi 1.15.0 included build configuration updates that excluded all references > to Log4j 1 libraries as described in the following Jira issue: > > https://issues.apache.org/jira/browse/NIFI-9283 > <https://issues.apache.org/jira/browse/NIFI-9283> > > Although previous versions of NiFi included Log4j 1 libraries, NiFi also > leveraged hierarchical class-loading and the Log4j to SLF4J bridge library to > route runtime Log4j 1 requests to SLF4J and Logback. The following post > covers the details of logging library management in NiFi: > > https://exceptionfactory.com/posts/2021/12/29/managing-logging-libraries-in-apache-nifi/ > > <https://exceptionfactory.com/posts/2021/12/29/managing-logging-libraries-in-apache-nifi/> > > With that background, there should be no concerns related to Log4j 1 and > recent versions of NiFi. > > As far as ZooKeeper itself, upgrading the client library version is something > that will be addressed as part of regular dependency upgrade reviews. > > Regards, > David Handermann > > On Mon, May 2, 2022 at 9:56 AM Gregory M. Foreman > <[email protected] <mailto:[email protected]>> > wrote: > Hello: > > Nifi 1.16.1 included upgrading to zookeeper 3.5.9, which uses log4j 1.2.17 > (NIFI-9955). My client currently has an external zookeeper 3.5.8 deployed, > it uses log4j 1.2.17, and it has been flagged to upgrade due to the log4j > CVE. I originally thought that log4j 1.x versions were not affected, but I > may have over-simplified the logic. Ref: > https://www.petefreitag.com/item/926.cfm > <https://www.petefreitag.com/item/926.cfm> (no affiliation). It appears that > zookeeper 3.5.9 is going to EOL in June 2022. Are there plans to upgrade to > zookeeper 3.7.0 or later? > > Thanks, > Greg > >
