Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update 2.x SDK log4j2 appender to not pull in log4j2 on its own #2002

Merged
merged 5 commits into from
Dec 13, 2021

Conversation

trask
Copy link
Member

@trask trask commented Dec 13, 2021

The 2.x SDK log4j2 appender is designed for users who are already using log4j2. It should not pull in log4j2 on its own. Users should already be bringing their own version of log4j2 (and should be upgrading that version or applying the mitigation steps from CVE-2021-44228). The PR ensures that users have to bring their own version of log4j2.

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
@heyams
Copy link
Contributor

heyams commented Dec 13, 2021

can we drop java 7 support for legacy sdk? that's feature change for some customers... and we don't know how many were on java 7.

@heyams
Copy link
Contributor

heyams commented Dec 13, 2021

should we add another statsbeat feature for java version? i think that's more useful than java vendor

@trask trask changed the title Update log4j2 appender Update log4j2 appender to not pull in log4j2 on its own Dec 13, 2021
@trask trask changed the title Update log4j2 appender to not pull in log4j2 on its own Update 2.x SDK log4j2 appender to not pull in log4j2 on its own Dec 13, 2021
@trask
Copy link
Member Author

trask commented Dec 13, 2021

should we add another statsbeat feature for java version? i think that's more useful than java vendor

👍 it's high cardinality if we capture the full version, but maybe just the major versions 8, 11, 17, and "other"

@trask trask merged commit 51a30a9 into legacy-sdk Dec 13, 2021
@trask trask deleted the update-log4j-appender branch December 13, 2021 23:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants