我使用的是旧版本的 Nifi 1.8.0。目前升级 nifi 不是一种选择。
安全扫描在旧的 log4j-core-2.8.2.jar、log4j-core-2.9.1(远程执行漏洞)和 log4j-1.x.jar(不再支持)下的各种 nar 文件中发现漏洞
/nifi/work/nar/extensions/
opt/nifi/工作/nar/ 扩展/nifi-elasticsearch-client-service-nar-1.8.0.nar-unpacked/NAR-INF/bundled-dependencies/ log4j-core-2.9.1.jar
已安装版本 2.9.1 固定版本 2.12.2 <==== for which I'd really want to upgrade to 2.17.0
查看了nifi 1.8.0的pom.xml文件,它依赖于
</dependency>
<!-- logback-classic, logback-core, log4j-over-slf4j, jul-to-slf4j,jcl-over-slf4j,slf4j-api handling this explicitly Must be in root lib -->
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>1.2.3</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>1.2.3</version>
<scope>provided</scope>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>${org.slf4j.version}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>log4j-over-slf4j</artifactId>
<version>${org.slf4j.version}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jul-to-slf4j</artifactId>
<version>${org.slf4j.version}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${org.slf4j.version}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-simple</artifactId>
<version>${org.slf4j.version}</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>${org.slf4j.version}</version>
</dependency>
其中
我试过把这个版本改成2.0.7据说是安全的。 但是在构建之后,在 nar 包下,我仍然看到 log4j-core-2.8.2.jar。
有没有办法升级log4j版本?
简单地在 pom.xml works 中明确指定 log4j-core 和 log4j-api 版本依赖的依赖。
或 https://github.com/apache/nifi/commit/4bcd03024a419afdf40d464bda716f0b9d21925b