You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2021/12/15 13:35:00 UTC
[jira] [Updated] (NIFI-9474) Upgrade Log4j 2 to 2.15.0
[ https://issues.apache.org/jira/browse/NIFI-9474?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Handermann updated NIFI-9474:
-----------------------------------
Summary: Upgrade Log4j 2 to 2.15.0 (was: Upgrade Log4j to 2.15.0)
> Upgrade Log4j 2 to 2.15.0
> -------------------------
>
> Key: NIFI-9474
> URL: https://issues.apache.org/jira/browse/NIFI-9474
> Project: Apache NiFi
> Issue Type: Improvement
> Reporter: Pierre Villard
> Assignee: Bryan Bende
> Priority: Major
> Labels: security
> Fix For: 1.16.0, 1.15.1
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> Following NIFI-9283, upgrade Log4j to 2.15.0 wherever possible.
> This is in light of the recent announcement for https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
> We do not believe we use log4j 2 in any way that exposes the vulnerability but we'll update beyond the version anyway. We still need to fix the following so I reopened the JIRA
> ./nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-nar/target/classes/META-INF/bundled-dependencies/log4j-api-2.13.3.jar
> ./nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-nar/target/classes/META-INF/bundled-dependencies/log4j-core-2.13.3.jar
> ./nifi-registry/nifi-registry-core/nifi-registry-web-api/target/nifi-registry-web-api-1.16.0-SNAPSHOT/WEB-INF/lib/log4j-to-slf4j-2.14.1.jar
> ./nifi-registry/nifi-registry-core/nifi-registry-web-api/target/nifi-registry-web-api-1.16.0-SNAPSHOT/WEB-INF/lib/log4j-api-2.14.1.jar
> ./nifi-registry/nifi-registry-toolkit/nifi-registry-toolkit-assembly/target/nifi-registry-toolkit-1.16.0-SNAPSHOT-bin/nifi-registry-toolkit-1.16.0-SNAPSHOT/lib/log4j-to-slf4j-2.14.1.jar
> ./nifi-registry/nifi-registry-toolkit/nifi-registry-toolkit-assembly/target/nifi-registry-toolkit-1.16.0-SNAPSHOT-bin/nifi-registry-toolkit-1.16.0-SNAPSHOT/lib/log4j-api-2.14.1.jar
--
This message was sent by Atlassian Jira
(v8.20.1#820001)