You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2022/01/04 17:02:00 UTC

[jira] [Resolved] (NIFI-9531) Nifi 1.15.2 still having older log4j

     [ https://issues.apache.org/jira/browse/NIFI-9531?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

David Handermann resolved NIFI-9531.
------------------------------------
      Assignee: David Handermann
    Resolution: Not A Problem

Version 1.7.32 refers to the version of SLF4J and associated bridge libraries for Log4j.  These libraries are not vulnerable to the recent issues reported for Log4j 2.

If you have a particular report that identifies that exact library file name, that might be helpful, but it sounds like the security report in question may be identifying a false positive based on the SLF4J version number described.

> Nifi 1.15.2 still having older log4j
> ------------------------------------
>
>                 Key: NIFI-9531
>                 URL: https://issues.apache.org/jira/browse/NIFI-9531
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: NiFi Stateless
>    Affects Versions: 1.15.1
>            Reporter: Subbu 
>            Assignee: David Handermann
>            Priority: Major
>             Fix For: 1.15.2
>
>
> Nifi 1.15.0 and 1.15.2 both contains same log4j version (version 1.7.32) which is reported by security team as a vulnerability. 
> IT security team looking for  latest log4j version 2.17.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)