[
https://issues.apache.org/jira/browse/HADOOP-16206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17283006#comment-17283006
]
Steve Loughran commented on HADOOP-16206:
-----------------------------------------
[~satanicmechanic] do bear in mind that the log4j CVEs are related to the log4j
services which listen on the network to collect and aggregate reports. There is
no such deployment in the hadoop codebase, so their security risk is more
transient "someone downstream may set things up this way".
The big barrier to this has always been the incompatible configuration file
format; there is now experimental support for the log4j 1.x files to movement
becomes more realistic.
Do you want to get involved?
> Migrate from Log4j1 to Log4j2
> -----------------------------
>
> Key: HADOOP-16206
> URL: https://issues.apache.org/jira/browse/HADOOP-16206
> Project: Hadoop Common
> Issue Type: Sub-task
> Affects Versions: 3.3.0
> Reporter: Akira Ajisaka
> Priority: Major
> Attachments: HADOOP-16206-wip.001.patch
>
>
> This sub-task is to remove log4j1 dependency and add log4j2 dependency.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
