Hello JanusGraph Development Team

JanusGraph is using Apache log4j. 1.2.x which seems to have security vulnerabilities with deserialization of untrusted data. This will hinder the adoption of JanusGraph due to security reasons.

https://snyk.io/test/github/JanusGraph/janusgraph

https://snyk.io/vuln/SNYK-JAVA-LOG4J-572732

It seems Log4j 2.8.2 and later versions have resolved this vulnerability. See this: https://logging.apache.org/log4j/2.x/security.html

Is it possible to use Log4j 2.8.2 or above with JanusGraph?

~Graphs