Uploaded image for project: 'Mnemonic'
  1. Mnemonic
  2. MNEMONIC-723

Upgrade log4j version from 1.x to v2 for security vulnerability fixes

    XMLWordPrintableJSON

Details

    • Task
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 0.17.0
    • 0.17.0
    • Logging
    • None

    Description

      TLDR: Apache Log4j 1.x does have vulnerabilities that are unpatched. Many configurations are not impacted by the vulnerabilities by default. Log4j 1.x is EOL so there are no fixed 1.x versions. You can patch the jar files yourself by removing the vulnerable class files. It's not a simple upgrade to go from Log4j 1.x to 2.x in most cases.

       

      According to the statement above, we need to upgrade our current log4j version from v1.x to v2.x

      Attachments

        Activity

          People

            yzz127 Yanhui Zhao
            yzz127 Yanhui Zhao
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 4h 40m
                4h 40m