JanusGraph is using Apache log4j. 1.2.x which seems to have security vulnerabilities with deserialization of untrusted data. This will hinder the adoption of JanusGraph due to security reasons.
https://snyk.io/test/github/JanusGraph/janusgraph
https://snyk.io/vuln/SNYK-JAVA-LOG4J-572732
It seems Log4j 2.8.2 and later versions have resolved this vulnerability. See this: https://logging.apache.org/log4j/2.x/security.html
Is it possible to use Log4j 2.8.2 or above with JanusGraph?
