Details
Description
Due to the recent issues with log4j2 the migration for another logging library has come up again. Although log4j1 is not impacted by the vulnerability, the upgrade to log4j2 was abandoned multiple times in ZK history.
I suggest now to migrate to logback which is also a well-maintained and mature project as well as it's much easier to migrate from log4j1.
Attachments
Issue Links
- causes
-
ZOOKEEPER-4763 Logback dependency should be scope provided/test
- Open
- is duplicated by
-
ZOOKEEPER-4451 vulnerable version of log4j (1.2.15/12.16) is being used in Zookeeper
- Resolved
-
ZOOKEEPER-4450 Zookeeper 3.7.0 is using Vulnerable log4j of 1.2.17
- Resolved
- is related to
-
LEGAL-594 How do projects handle dual-licensed dependencies?
- Closed
-
LEGAL-595 Correct handling of a dual-licensed dependency
- Closed
- relates to
-
ZOOKEEPER-4452 Log4j 1.X CVE-2022-23302/5/7 vulnerabilities
- Closed
- supercedes
-
ZOOKEEPER-2342 Migrate to Log4J 2.
- Resolved
- links to