You are viewing a plain text version of this content. The canonical link for it is here.

Posted to pluto-dev@portals.apache.org by "Neil Griffin (Jira)" <ji...@apache.org> on 2021/12/15 18:51:00 UTC

[jira] [Closed] (PLUTO-787) Migrate to Log4j 2.16.0 due to CVE-2019-17571 and CVE-2021-44228

     [ https://issues.apache.org/jira/browse/PLUTO-787?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Neil Griffin closed PLUTO-787.
------------------------------
    Resolution: Fixed

> Migrate to Log4j 2.16.0 due to CVE-2019-17571 and CVE-2021-44228
> ----------------------------------------------------------------
>
>                 Key: PLUTO-787
>                 URL: https://issues.apache.org/jira/browse/PLUTO-787
>             Project: Pluto
>          Issue Type: Task
>          Components: demo portlets, maven archetypes
>            Reporter: Neil Griffin
>            Assignee: Neil Griffin
>            Priority: Major
>             Fix For: 3.1.1
>
>
> This task involves migrating the following dependencies from Log4j 1.x to Log4j 2.x due to [CVE-2019-17571|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571]:
> - log4j:log4j -> org.apache.logging.log4j:log4j-api-2.16.0
> - org.slf4j:slf4j-log4j12 -> org.apache.logging.log4j:log4j-slf4j-impl-2.16.0
> Also, due to [CVE-2021-44228|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228] (which only affects Log4j2) it is necessary to use version 2.16.0 at a minimum.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)