Hi, Is it possible to use the latest Java API jar(ex: conf-api-7.6.3.jar) in old ConfD binary(ex: 6.6.1) installation?
I would like to use the latest jar to take care of the log4j vulnerabilities.
Definitely not without lots of changes on many places. ConfD-6.6.1 is almost 4 years old and there were changes that can make this even impossible.
But you have other options:
-
If your main concern is log4j, you might be able to use recent version of that with log4j 1.x bridge; so you would stay with the old Java ConfD API, but bind to new log4j 2 version using the bridge.
-
If your main concern is log4j and of that the recently discovered log4shell vulnerability, I believe you can stay calm and ignore it - the vulnerability applies to log4j 2, pre-7.3 ConfD releases use log4j 1 which is not affected.
Thanks for your input. I will check.