NIFI-9504 Upgraded Logback from 1.2.8 to 1.2.9

NIFI-9505 Upgraded Log4j 2 from 2.16.0 to 2.17.0 Signed-off-by: Chris Sampson <chris.sampson82@gmail.com> This closes #5615
2021-12-18 14:30:06 -06:00 · 2021-12-18 14:30:06 -06:00 · bda48b3f87
parent 20392d5ef4
commit bda48b3f87
1 changed files with 5 additions and 5 deletions
--- a/pom.xml
+++ b/pom.xml
@ -111,7 +111,7 @@
        <gcs.version>2.1.5</gcs.version>
        <aspectj.version>1.9.6</aspectj.version>
        <jersey.version>2.33</jersey.version>
-        <logback.version>1.2.8</logback.version>
+        <logback.version>1.2.9</logback.version>
        <mockito.version>3.11.2</mockito.version>
        <netty.3.version>3.10.6.Final</netty.3.version>
        <netty.4.version>4.1.69.Final</netty.4.version>
@ -485,11 +485,11 @@
                <artifactId>aspectjweaver</artifactId>
                <version>${aspectj.version}</version>
            </dependency>
-            <!-- Override log4j-core and related Log4j 2 libraries for transitive dependencies to address CVE-2021-44228 -->
+            <!-- Override log4j-core and related Log4j 2 libraries for transitive dependencies to multiple vulnerabilities -->
            <dependency>
                <groupId>org.apache.logging.log4j</groupId>
                <artifactId>log4j-bom</artifactId>
-                <version>2.16.0</version>
+                <version>2.17.0</version>
                <scope>import</scope>
                <type>pom</type>
            </dependency>
@ -795,8 +795,8 @@
                                        <exclude>com.google.code.findbugs:jsr305:*:*:compile</exclude>
                                        <!-- Log4J excluded in favor of log4j-over-slf4j and logback -->
                                        <exclude>log4j:log4j:*</exclude>
-                                        <!-- Ban log4j-core less than 2.15.0 due to Log4Shell vulnerability -->
-                                        <exclude>org.apache.logging.log4j:log4j-core:(,2.15.0)</exclude>
+                                        <!-- Ban log4j-core less than 2.17.0 due to multiple vulnerability -->
+                                        <exclude>org.apache.logging.log4j:log4j-core:(,2.17.0)</exclude>
                                        <!-- Commons Logging excluded in favor of jcl-over-slf4j -->
                                        <exclude>commons-logging:commons-logging:*</exclude>
                                    </excludes>