Upgrade log4j to log4j2 #976
Comments
|
Until the upgrade to log4j 2.x is not done, users are adviced not to use the SocketServer Included in Log4j 1.2. |
|
The TMC decided that maintaining compatibility with existing log4j properties file may be dropped when this simplifies upgrading log4j |
|
To convert existing log4j v1.2 properties files to log4j v2.x XML configuration files the following steps need to be done:
or use the CLI provided with log4j2: |
|
With upgrade to log4j2 the usage of the deegree-maven-plugin:assemble-log4j goal shall be removed from the maven build. Furthermore the usage of org.deegree.commons.annotations.LoggingNotes annotation shall be removed from the code base. The following annotations and types shall be set to deprecated: org.deegree.commons.annotations.PackageLoggingNotes Users of deegree's API are advised to use the @log annotation provided by project Lombok (https://projectlombok.org/features/log). Committers to the deegree code base are advised to use the slf4j API for logging statements. The wiki page https://github.com/deegree/deegree3/wiki/Developer-Guidelines#logging needs an update too. |
|
Advice about the current CVE-2021-44228 in Apache Log4j v2.x:
|
|
UPDATE 2021-12-14: The vulnerability of log4j v1: According to this analysis log4j v1 is also affected - but not as critical as log4j v2. Nevertheless users are adviced not to use JMSAppender or any JNDI lookups in their log4j configurations. Follow the remediation advices in GHSA-jfh8-c2jp-5v3q. Make sure that the log4j.xml or log4j.properties configuration is safe by protecting the file with appropriate access rights on file system level. Please read further in http://slf4j.org/log4shell.html for more information about the vulnerability of log4j v1. |
|
Remediation in a nutshell - removing the affected classes from the library:
Use tools like the following to find log4j JAR files in the file systems: |
|
Log4j 2.16.0 is available: https://logging.apache.org/log4j/2.x/download.html, change log: https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0 |
…x 'Bad service configuration file'
|
The TMC has the notion to replace log4j in future versions of deegree, see issue #1248 for more information. |
|
MDC is broken in Java 9+ for log4j v1: https://blogs.apache.org/logging/entry/moving_on_to_log4j_2 |
…s configuration
…x 'Bad service configuration file'
…s configuration
…x 'Bad service configuration file'
|
Log4j 2.16.0 is available with deegree webservices 3.4.21. Since there is a new security warning CVE-2021-45105 which requires to upgrade to log4j 2.17.0, see PR #1253 and #1252 . |
|
Log4j 2.17.0 will be available with deegree webservices 3.4.22. |
|
Release 3.4.22 is available https://github.com/deegree/deegree3/releases/tag/deegree-3.4.22 |
|
Log4j 2.17.1 will be available with deegree webservices 3.4.23. |
|
Users can still use log4j 1.x configuration files if needed, see https://logging.apache.org/log4j/2.x/manual/migration.html#Log4j1.2Bridge for more information. |
|
Release 3.4.23 is available https://github.com/deegree/deegree3/releases/tag/deegree-3.4.23 |
Working branch is https://github.com/tfr42/deegree3/tree/upgradeLog4j2
TMC has decided to keep the properties file format for the configuration, see https://github.com/deegree/deegree3/wiki/tmc-meeting-minutes-20190329
see also #965 (comment)
The text was updated successfully, but these errors were encountered: