NIFI-9474 Block log4j-core older than 2.15.0

- Add log4j-bom to root Maven configuration
- Remove previous overrides in favor of log4j-bom in root Maven configuration

This closes #5598

Signed-off-by: David Handermann <exceptionfactory@apache.org>

nifi-nar-bundles/nifi-atlas-bundle/pom.xml

@@ -96,14 +96,6 @@
                 <artifactId>netty-transport-native-epoll</artifactId>
                 <version>${netty.4.version}</version>
             </dependency>
-            <!-- Override log4j -->
-            <dependency>
-                <groupId>org.apache.logging.log4j</groupId>
-                <artifactId>log4j-bom</artifactId>
-                <version>2.15.0</version>
-                <scope>import</scope>
-                <type>pom</type>
-            </dependency>
         </dependencies>
     </dependencyManagement>
 

nifi-nar-bundles/nifi-druid-bundle/pom.xml

@@ -76,14 +76,6 @@
                 <artifactId>snakeyaml</artifactId>
                 <version>1.29</version>
             </dependency>
-            <!-- Override log4j 2.5 from druid -->
-            <dependency>
-                <groupId>org.apache.logging.log4j</groupId>
-                <artifactId>log4j-bom</artifactId>
-                <version>2.15.0</version>
-                <scope>import</scope>
-                <type>pom</type>
-            </dependency>
             <!-- Override zookeeper -->
             <dependency>
                 <groupId>org.apache.zookeeper</groupId>

nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml

@@ -24,7 +24,6 @@ language governing permissions and limitations under the License. -->
         <slf4jversion>2.7</slf4jversion>
         <es.version>5.0.1</es.version>
         <lucene.version>6.2.1</lucene.version>
-        <log4j.version>2.15.0</log4j.version>
     </properties>
 
     <dependencies>
@@ -81,12 +80,10 @@ language governing permissions and limitations under the License. -->
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>
             <artifactId>log4j-api</artifactId>
-            <version>${log4j.version}</version>
         </dependency>
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>
             <artifactId>log4j-core</artifactId>
-            <version>${log4j.version}</version>
         </dependency>
         <dependency>
             <groupId>org.apache.nifi</groupId>

nifi-nar-bundles/nifi-elasticsearch-bundle/pom.xml

@@ -64,14 +64,6 @@ language governing permissions and limitations under the License. -->
                 <artifactId>commons-compress</artifactId>
                 <version>1.21</version>
             </dependency>
-            <!-- Override log4j 2.11.1 -->
-            <dependency>
-                <groupId>org.apache.logging.log4j</groupId>
-                <artifactId>log4j-bom</artifactId>
-                <version>2.15.0</version>
-                <scope>import</scope>
-                <type>pom</type>
-            </dependency>
         </dependencies>
     </dependencyManagement>
 

nifi-nar-bundles/nifi-hive-bundle/pom.xml

@@ -96,14 +96,6 @@
                 <artifactId>derby</artifactId>
                 <version>10.14.2.0</version>
             </dependency>
-            <!-- Override log4j 2.10.0 -->
-            <dependency>
-                <groupId>org.apache.logging.log4j</groupId>
-                <artifactId>log4j-bom</artifactId>
-                <version>2.15.0</version>
-                <scope>import</scope>
-                <type>pom</type>
-            </dependency>
             <!-- Override zookeeper -->
             <dependency>
                 <groupId>org.apache.zookeeper</groupId>

nifi-nar-bundles/nifi-ranger-bundle/pom.xml

@@ -71,14 +71,6 @@
                 <artifactId>jackson-databind</artifactId>
                 <version>${jackson.version}</version>
             </dependency>
-            <!-- Override log4j 2.11.1 -->
-            <dependency>
-                <groupId>org.apache.logging.log4j</groupId>
-                <artifactId>log4j-bom</artifactId>
-                <version>2.15.0</version>
-                <scope>import</scope>
-                <type>pom</type>
-            </dependency>
         </dependencies>
     </dependencyManagement>
 </project>

nifi-registry/nifi-registry-core/nifi-registry-framework/pom.xml

@@ -207,17 +207,6 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-security</artifactId>
             <version>${spring.boot.version}</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.apache.logging.log4j</groupId>
-                    <artifactId>log4j-to-slf4j</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.logging.log4j</groupId>
-            <artifactId>log4j-to-slf4j</artifactId>
-            <version>2.15.0</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.security</groupId>

nifi-registry/nifi-registry-core/nifi-registry-web-api/pom.xml

@@ -320,17 +320,6 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
             <version>${spring.boot.version}</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.apache.logging.log4j</groupId>
-                    <artifactId>log4j-to-slf4j</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.logging.log4j</groupId>
-            <artifactId>log4j-to-slf4j</artifactId>
-            <version>2.15.0</version>
         </dependency>
 
         <dependency>

nifi-registry/nifi-registry-extensions/nifi-registry-ranger/pom.xml

@@ -77,14 +77,6 @@
                 <artifactId>jetty-webapp</artifactId>
                 <version>${jetty.version}</version>
             </dependency>
-            <!-- Override log4j 2.11.1 -->
-            <dependency>
-                <groupId>org.apache.logging.log4j</groupId>
-                <artifactId>log4j-bom</artifactId>
-                <version>2.15.0</version>
-                <scope>import</scope>
-                <type>pom</type>
-            </dependency>
             <!-- Override zookeeper -->
             <dependency>
                 <groupId>org.apache.zookeeper</groupId>

pom.xml

@@ -485,6 +485,14 @@
                 <artifactId>aspectjweaver</artifactId>
                 <version>${aspectj.version}</version>
             </dependency>
+            <!-- Ensure log4j-core 2.15.0 is used by any transitive dependencies to remediate Log4Shell vulnerability -->
+            <dependency>
+                <groupId>org.apache.logging.log4j</groupId>
+                <artifactId>log4j-bom</artifactId>
+                <version>2.15.0</version>
+                <scope>import</scope>
+                <type>pom</type>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 
@@ -787,6 +795,8 @@
                                         <exclude>com.google.code.findbugs:jsr305:*:*:compile</exclude>
                                         <!-- Log4J excluded in favor of log4j-over-slf4j and logback -->
                                         <exclude>log4j:log4j:*</exclude>
+                                        <!-- Ban log4j-core less than 2.15.0 due to Log4Shell vulnerability -->
+                                        <exclude>org.apache.logging.log4j:log4j-core:(,2.15.0)</exclude>
                                     </excludes>
                                     <includes>
                                         <!-- Versions of JSR305 after 3.0.1 are allowed https://github.com/findbugsproject/findbugs/issues/128 -->