You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mnemonic.apache.org by "Yanhui Zhao (Jira)" <ji...@apache.org> on 2022/02/21 04:29:00 UTC

[jira] [Commented] (MNEMONIC-723) Upgrade log4j version from 1.x to v2 for security vulnerability fixes

    [ https://issues.apache.org/jira/browse/MNEMONIC-723?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17495315#comment-17495315 ] 

Yanhui Zhao commented on MNEMONIC-723:
--------------------------------------

log4j migration instructions: https://logging.apache.org/log4j/2.x/manual/migration.html

> Upgrade log4j version from 1.x to v2 for security vulnerability fixes
> ---------------------------------------------------------------------
>
>                 Key: MNEMONIC-723
>                 URL: https://issues.apache.org/jira/browse/MNEMONIC-723
>             Project: Mnemonic
>          Issue Type: Task
>          Components: Logging
>    Affects Versions: 0.17.0
>            Reporter: Yanhui Zhao
>            Priority: Critical
>             Fix For: 0.17.0
>
>
> *TLDR:* Apache Log4j 1.x does have vulnerabilities that are unpatched. Many configurations are not impacted by the vulnerabilities by default. Log4j 1.x is EOL so there are no fixed 1.x versions. You can patch the jar files yourself by removing the vulnerable class files. It's not a simple upgrade to go from Log4j 1.x to 2.x in most cases.
>  
> According to the statement above, we need to upgrade our current log4j version from v1.x to v2.x



--
This message was sent by Atlassian Jira
(v8.20.1#820001)