FW: Log4j Vulnerability

[Rafi Ahmed <Ra...@toronto.ca>]

Dear Nifi team

We are in the process of replacing all log4j 2.5 version to 2.17 for current Nifi version  nifi-1.9.0-RC2. 

Please let us know what's the best way to proceed further it just delete the existing files and replace them with files from below location 

https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.zip 
 

Thanks for your support.



Rafi Ahmed
O  1-416-338-2158
M 1-416-894-6432


-----Original Message-----
From: Joe Witt [mailto:joe.witt@gmail.com] 
Sent: December 14, 2021 11:46 AM
To: dev@nifi.apache.org
Subject: Re: Log4j Vunrability


Yes of course we're very in tuned to what is happening.  The convenience binary we sent doesn't contain log4j impacted libs.  But some of the nars we publish that people can use do.  We also do not use log4j directly as we use slf4j.  But we're not certain that every possible avenue of this is shut down so we're treating this as if we must replace it entirely.  To that end we are releasing Apache NiFi
1.15.1 and doing so in urgent timeline.  There have been issues with the release process presumably due to Apache being under so much load.
But we're on it.  Hopefully vote today/release up/available tomorrow.
TBD

Thanks

On Tue, Dec 14, 2021 at 9:40 AM Haris Javaid <Ha...@toronto.ca> wrote:
>
> Hi there,
> I am sure you guys are aware of the recently found log4j 
> vulnerability. I am curious to know if its required for us Nifi users 
> to take some action. Please let me know
>
> Thanks,
> H

Re: FW: Log4j Vulnerability

[Joe Witt <jo...@gmail.com>]

Rafi

We do not recommend attempts to replace Jars in this manner and you
have to keep in mind you'd have to go through/manipulate the
nars/their contents in every case problematic Jars were present.

Apache NiFi 1.15.2 is out.  In it we no longer have or allow log4j 1.x
or the log4j 2.x core library or log4j 2.x anything else other than
2.17 and we use the latest logback to be in the build.  I would
upgrade to it and be mindful of migration guidance we've posted for
all the releases from 1.9 to 1.15.

Thanks
Joe

On Thu, Dec 23, 2021 at 9:50 AM Rafi Ahmed <Ra...@toronto.ca> wrote:
>
> Dear Nifi team
>
> We are in the process of replacing all log4j 2.5 version to 2.17 for current Nifi version  nifi-1.9.0-RC2.
>
> Please let us know what's the best way to proceed further it just delete the existing files and replace them with files from below location
>
> https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.zip
>
>
> Thanks for your support.
>
>
>
> Rafi Ahmed
> O  1-416-338-2158
> M 1-416-894-6432
>
>
> -----Original Message-----
> From: Joe Witt [mailto:joe.witt@gmail.com]
> Sent: December 14, 2021 11:46 AM
> To: dev@nifi.apache.org
> Subject: Re: Log4j Vunrability
>
>
> Yes of course we're very in tuned to what is happening.  The convenience binary we sent doesn't contain log4j impacted libs.  But some of the nars we publish that people can use do.  We also do not use log4j directly as we use slf4j.  But we're not certain that every possible avenue of this is shut down so we're treating this as if we must replace it entirely.  To that end we are releasing Apache NiFi
> 1.15.1 and doing so in urgent timeline.  There have been issues with the release process presumably due to Apache being under so much load.
> But we're on it.  Hopefully vote today/release up/available tomorrow.
> TBD
>
> Thanks
>
> On Tue, Dec 14, 2021 at 9:40 AM Haris Javaid <Ha...@toronto.ca> wrote:
> >
> > Hi there,
> > I am sure you guys are aware of the recently found log4j
> > vulnerability. I am curious to know if its required for us Nifi users
> > to take some action. Please let me know
> >
> > Thanks,
> > H
>