Apache NiFi-1.15.1 Older sl4j and log4j jars

[Chahat Madaan <ch...@applicatetechnology.com>]

Hi,

 

As per release notes of NiFi 1.15.1, all the log4j.2.X dependencies has been upgraded to 2.16. But while deploying the latest NiFi Version, I can see some older JARs like log4j-over-slf4j-1.7.32.jar, jul-to-slf4j-1.7.32.jar, slf4j-api-1.7.32.jar. I just want to confirm if they are affected with latest log4j vulnerability or they are safe to use with latest NiFi Version.

 

Thanks and Regards

Chahat Madaan

+91 844 874 3588

 

 

 

From: Chahat Madaan <ch...@applicatetechnology.com>
Date: Friday, 17 December 2021 at 1:12 PM
To: <us...@nifi.apache.org>
Cc: Snehadeep Vikram <sn...@applicatetechnology.com>
Subject: Apache NiFi-1.15.1 Older sl4j and log4j jars

 

Hi,

 

As per release notes of NiFi 1.15.1, all the log4j.2.X dependencies has been upgraded to 2.16. But while deploying the lastest NiFi Version, I can see some older JARs like log4j-over-slf4j-1.7.32.jar, jul-to-slf4j-1.7.32.jar, slf4j-api-1.7.32.jar. I just want to confirm if they are affected with latest log4j vulnerability or they are safe to use with lastest NiFi Version.

 

Thanks and Regards

Chahat Madaan

+91 844 874 3588

 

 

Re: Apache NiFi-1.15.1 Older sl4j and log4j jars

[Marton Szasz <sz...@apache.org>]

Hi,

Short answer: NiFi 1.15.1 is 100% free of log4j 2.x and the recently
discovered vulnerabilities.

Long answer: Older NiFi versions contained a vulnerable version of
log4j, but the vulnerability was not exposed through NiFi as far as
we're aware, even before 1.15.1. NiFi uses the slf4j API and Logback
as the logger implementation. slf4j or Logback themselves are not
affected by the recent log4j 2.x vulnerability.
- log4j-over-slf4j.jar: This is a bridge that makes dependencies that
would otherwise use log4j use slf4j instead.
- jul-to-slf4j.jar: This is a java.util.logging handler that routes
log messages to slf4j.
- slf4j-api.jar: This is slf4j.

So to summarise, none of the mentioned JARs are affected, the latest
NiFi is safe to use. It is possible that other projects are vulnerable
through slf4j if they use the log4j logger implementation and an
unpatched log4j version. You can tell that by looking for
log4j-slf4j-impl.jar in your installation. NiFi doesn't have that.

Thanks,
Marton

On Fri, 17 Dec 2021 at 07:52, Chahat Madaan
<ch...@applicatetechnology.com> wrote:
>
> Hi,
>
>
>
> As per release notes of NiFi 1.15.1, all the log4j.2.X dependencies has been upgraded to 2.16. But while deploying the latest NiFi Version, I can see some older JARs like log4j-over-slf4j-1.7.32.jar, jul-to-slf4j-1.7.32.jar, slf4j-api-1.7.32.jar. I just want to confirm if they are affected with latest log4j vulnerability or they are safe to use with latest NiFi Version.
>
>
>
> Thanks and Regards
>
> Chahat Madaan
>
> +91 844 874 3588
>
>
>
>
>
>
>
> From: Chahat Madaan <ch...@applicatetechnology.com>
> Date: Friday, 17 December 2021 at 1:12 PM
> To: <us...@nifi.apache.org>
> Cc: Snehadeep Vikram <sn...@applicatetechnology.com>
> Subject: Apache NiFi-1.15.1 Older sl4j and log4j jars
>
>
>
> Hi,
>
>
>
> As per release notes of NiFi 1.15.1, all the log4j.2.X dependencies has been upgraded to 2.16. But while deploying the lastest NiFi Version, I can see some older JARs like log4j-over-slf4j-1.7.32.jar, jul-to-slf4j-1.7.32.jar, slf4j-api-1.7.32.jar. I just want to confirm if they are affected with latest log4j vulnerability or they are safe to use with lastest NiFi Version.
>
>
>
> Thanks and Regards
>
> Chahat Madaan
>
> +91 844 874 3588
>
>
>
>