Re: Janusgraph-full-0.6.1: how to fix "WARNING: Critical severity vulnerabilities were found with Log4j!"

Yingjie Li

Hello Marc,

For this build, in directory janusgraph-full-1.0.0-SNAPSHOT/lib, there are  log4j-1.2.17.jar , log4j-api-2.18.0.jar,   log4j-core-2.18.0.jar,   log4j-slf4j-impl-2.18.0.jar,  but no slf4j-log4j12-1.7.30.jar . 

In directory janusgraph-full-1.0.0-SNAPSHOT/elasticsearch/lib, there are elasticsearch-log4j-7.17.5.jar,  log4j-api-2.17.1.jar


On Fri, Sep 30, 2022 at 1:51 AM <hadoopmarc@...> wrote:
Hi Yingjie,

See my earlier comment, with respect to janusgraph-0.6.2:

>>My suggestion was incomplete. In addition to removing the log4j-1.2.17.jar file from the lib folder, you have to remove the slf4j-log4j12-1.7.30.jar file as well. Otherwise, JanusGraph server starts looking for the log4j jar and crashes, as you found out.

Can you confirm that log4j-2x in the elasticsearch/lib folder now has the required version?

Best wishes,   Marc

Join to automatically receive all group messages.