[NIFI-9474] Upgrade Log4j 2 to 2.15.0 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.16.0, 1.15.1
Component/s: None
Labels:
- security

Description

Following ~~NIFI-9283~~, upgrade Log4j to 2.15.0 wherever possible.

This is in light of the recent announcement for https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

We do not believe we use log4j 2 in any way that exposes the vulnerability but we'll update beyond the version anyway. We still need to fix the following so I reopened the JIRA

./nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-nar/target/classes/META-INF/bundled-dependencies/log4j-api-2.13.3.jar
./nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-nar/target/classes/META-INF/bundled-dependencies/log4j-core-2.13.3.jar
./nifi-registry/nifi-registry-core/nifi-registry-web-api/target/nifi-registry-web-api-1.16.0-SNAPSHOT/WEB-INF/lib/log4j-to-slf4j-2.14.1.jar
./nifi-registry/nifi-registry-core/nifi-registry-web-api/target/nifi-registry-web-api-1.16.0-SNAPSHOT/WEB-INF/lib/log4j-api-2.14.1.jar
./nifi-registry/nifi-registry-toolkit/nifi-registry-toolkit-assembly/target/nifi-registry-toolkit-1.16.0-SNAPSHOT-bin/nifi-registry-toolkit-1.16.0-SNAPSHOT/lib/log4j-to-slf4j-2.14.1.jar
./nifi-registry/nifi-registry-toolkit/nifi-registry-toolkit-assembly/target/nifi-registry-toolkit-1.16.0-SNAPSHOT-bin/nifi-registry-toolkit-1.16.0-SNAPSHOT/lib/log4j-api-2.14.1.jar

Attachments

Issue Links

relates to

NIFI-9482 Upgrade Log4j 2 to 2.16.0

Resolved

links to

GitHub Pull Request #5592

GitHub Pull Request #5595

GitHub Pull Request #5598

Activity

People

Assignee:: Bryan Bende

Reporter:: Pierre Villard

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 10/Dec/21 12:03

Updated:: 30/Dec/21 13:41

Resolved:: 13/Dec/21 16:56

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

1.5h