Re: Zookeeper Log4j-1.X upgrade to Log4j2

Nithit · 08-01-2024 11:59 PM

Hello Team,

apipee version : 4.51 zookeeper logging still in the older version: i.e(opt/apigee/apigee-zookeeper/lib/log4j-1.2.17.jar)

solution:

1. what is solution update to log4j2?

2. can we replace this log4j-1.2.17.jar with log4j-2.X download from internet?

AlexET

Hi @Nithit, we apologize for the delay in addressing your question. We're actively working on finding the right resources to provide you with a helpful answer. Thank you for your patience.

In the meantime, we encourage you to stay engaged with the community, and we'll update you as soon as we have information, best.

dchiesa1

apigee version : 4.51 zookeeper logging still in the older version

Please see this link, which states that Apigee for Private cloud v4.51 is no longer supported. Google will make no further updates to Apigee OPDK v4.51.xx . You should update to the latest, 4.52.02 .

v4.51.end-of-life.png

1. what is solution update to log4j2?

The question is moot.

This link from January 2022 states that

Edge for Private Cloud is not affected by the related vulnerability in Apache Log4j-1.x, which is shipped with ZooKeeper.
Edge for Private Cloud’s default configuration contains Log4j 2 but is not vulnerable to Log4j 2 (CVE-2021-44228).

So you do not need to do anything, if you are on 4.51.03 or later. Your software is not vulnerable. If you are on 4.51.02, then you should update. But , regardless which version of 4.51 you are using, you ARE out of support. So you should update to the latest OPDK.

2. can we replace this log4j-1.2.17.jar with log4j-2.X download from internet?

definitely not! Don't do that.