You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mnemonic.apache.org by "Yanhui Zhao (Jira)" <ji...@apache.org> on 2022/02/17 22:05:00 UTC

[jira] [Created] (MNEMONIC-723) Upgrade log4j version from 1.x to v2 for security vulnerability fixes

Yanhui Zhao created MNEMONIC-723:
------------------------------------

             Summary: Upgrade log4j version from 1.x to v2 for security vulnerability fixes
                 Key: MNEMONIC-723
                 URL: https://issues.apache.org/jira/browse/MNEMONIC-723
             Project: Mnemonic
          Issue Type: Task
          Components: Logging
    Affects Versions: 0.17.0
            Reporter: Yanhui Zhao
             Fix For: 0.17.0


*TLDR:* Apache Log4j 1.x does have vulnerabilities that are unpatched. Many configurations are not impacted by the vulnerabilities by default. Log4j 1.x is EOL so there are no fixed 1.x versions. You can patch the jar files yourself by removing the vulnerable class files. It's not a simple upgrade to go from Log4j 1.x to 2.x in most cases.

 

According to the statement above, we need to upgrade our current log4j version from v1.x to v2.x



--
This message was sent by Atlassian Jira
(v8.20.1#820001)