View Only

 Plans to move PDI from EOL Log4j 1.x to Log4j 2.17+

Bill Pulver's profile image
Bill Pulver posted 01-06-2022 12:08
We use Pentaho Data Integration CE for daily ETL jobs in our environment. It has proven quite useful.
As a result of the recent log4j vulnerability in log4j 2.x there has been increased scrutiny on outdated versions of software and using software that is end-of-life with mgmt./security requesting information on updates/timeframes for existing applications.
PDI uses log4j-1.2.17.jar which is end-of-life. Are there any plans to upgrade all instances of log4j, specifically, to log4j version 2.17+, as well as other Java libs/packages that may be EOL as well? If so, is there an expected timeframe?

From apache log4j site: "On August 5, 2015 the Logging Services Project Management Committee announced that Log4j 1.x had reached end of life"

Thank you,
Bill Pulver