log4j-api need upgraded >= 2.8.2 as vulnerability CVE-2017-5645

[caixiangibm]

For all general issues, please provide the following details for fast resolution:

• Version: logstash-input-http 3.2.2
• Operating System: Ubuntu 16.04 LT

After upgrading Logstash to 6.5.0, but we found that dependency of "log4j-api" in logstash-input-http 3.2.2 still at "log4j-api-2.6.2", which is addressed in vulnerability CVE-2017-5645. ( Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645) e.g. ./vendor/bundle/jruby/2.3.0/gems/logstash-input-http-3.2.2-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.6.2/log4j-api-2.6.2.jar

It needs to be upgraded to log4j-api version 2.8.2 and above. And I created following PR for this issue. https://github.com/logstash-plugins/logstash-input-http/pull/99

[ejwalk]

Has anyone at ES reviewed this yet? This is an important question...

[jsvd]

The dependency on log4j2 and others have been updated in #101 and a new release has been published.