Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade log4j to log4j2 #976

Closed
Tracked by #1120
tfr42 opened this issue Apr 30, 2019 · 17 comments · Fixed by #1247
Closed
Tracked by #1120

Upgrade log4j to log4j2 #976

tfr42 opened this issue Apr 30, 2019 · 17 comments · Fixed by #1247
Labels
CVE Common Vulnerabilities and Exposures enhancement enhancement or improvement ready

Comments

@tfr42
Copy link
Member

tfr42 commented Apr 30, 2019

Working branch is https://github.com/tfr42/deegree3/tree/upgradeLog4j2
TMC has decided to keep the properties file format for the configuration, see https://github.com/deegree/deegree3/wiki/tmc-meeting-minutes-20190329

see also #965 (comment)

@tfr42 tfr42 added the enhancement enhancement or improvement label Apr 30, 2019
tfr42 added a commit to tfr42/deegree3 that referenced this issue Jun 14, 2019
@tfr42
Copy link
Member Author

tfr42 commented Jun 5, 2020

Until the upgrade to log4j 2.x is not done, users are adviced not to use the SocketServer Included in Log4j 1.2.

@copierrj
Copy link
Member

copierrj commented Jun 5, 2020

The TMC decided that maintaining compatibility with existing log4j properties file may be dropped when this simplifies upgrading log4j

@tfr42
Copy link
Member Author

tfr42 commented Nov 18, 2020

To convert existing log4j v1.2 properties files to log4j v2.x XML configuration files the following steps need to be done:

or use the CLI provided with log4j2:
https://logging.apache.org/log4j/2.x/log4j-1.2-api/apidocs/org/apache/log4j/config/Log4j1ConfigurationConverter.html

@tfr42
Copy link
Member Author

tfr42 commented Nov 27, 2020

With upgrade to log4j2 the usage of the deegree-maven-plugin:assemble-log4j goal shall be removed from the maven build. Furthermore the usage of org.deegree.commons.annotations.LoggingNotes annotation shall be removed from the code base.

The following annotations and types shall be set to deprecated:

org.deegree.commons.annotations.PackageLoggingNotes
org.deegree.commons.annotations.LoggingNotes
org.deegree.commons.processors.LoggingAnnotationProcessor
org.deegree.commons.log4j.DuplicateMessageFilter
org.deegree.commons.utils.io.RollbackPrintWriter

Users of deegree's API are advised to use the @log annotation provided by project Lombok (https://projectlombok.org/features/log). Committers to the deegree code base are advised to use the slf4j API for logging statements.

The wiki page https://github.com/deegree/deegree3/wiki/Developer-Guidelines#logging needs an update too.

@tfr42 tfr42 added the CVE Common Vulnerabilities and Exposures label Dec 13, 2021
tfr42 added a commit to tfr42/deegree3 that referenced this issue Dec 13, 2021
@tfr42
Copy link
Member Author

tfr42 commented Dec 13, 2021

Advice about the current CVE-2021-44228 in Apache Log4j v2.x:

  • deegree v3.4 still uses Apache Log4j v1.x and is not affected to this specific issue
  • but Apache Log4j v1.x is vulnerable to other RCE vectors so upgrading Log4j is recommended.

@tfr42 tfr42 pinned this issue Dec 13, 2021
lgoltz added a commit to lat-lon/deegree3 that referenced this issue Dec 13, 2021
@tfr42
Copy link
Member Author

tfr42 commented Dec 14, 2021

UPDATE 2021-12-14: The vulnerability of log4j v1:

According to this analysis log4j v1 is also affected - but not as critical as log4j v2.

Nevertheless users are adviced not to use JMSAppender or any JNDI lookups in their log4j configurations. Follow the remediation advices in GHSA-jfh8-c2jp-5v3q.

Make sure that the log4j.xml or log4j.properties configuration is safe by protecting the file with appropriate access rights on file system level. Please read further in http://slf4j.org/log4shell.html for more information about the vulnerability of log4j v1.

@tfr42
Copy link
Member Author

tfr42 commented Dec 14, 2021

Remediation in a nutshell - removing the affected classes from the library:

  • log4j v1: zip -q -d log4j-1.2.17.jar org/apache/log4j/net/JMSAppender.class
  • log4j v2: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Use tools like the following to find log4j JAR files in the file systems:

@tfr42
Copy link
Member Author

tfr42 commented Dec 14, 2021

lgoltz added a commit to lat-lon/deegree3 that referenced this issue Dec 14, 2021
lgoltz added a commit to lat-lon/deegree3 that referenced this issue Dec 14, 2021
lgoltz added a commit to lat-lon/deegree3 that referenced this issue Dec 14, 2021
lgoltz added a commit to lat-lon/deegree3 that referenced this issue Dec 15, 2021
lgoltz added a commit to lat-lon/deegree3 that referenced this issue Dec 15, 2021
lgoltz added a commit to lat-lon/deegree3 that referenced this issue Dec 15, 2021
lgoltz added a commit to lat-lon/deegree3 that referenced this issue Dec 15, 2021
tfr42 added a commit to lat-lon/deegree3 that referenced this issue Dec 15, 2021
@tfr42 tfr42 added ready and removed in progress labels Dec 15, 2021
@tfr42
Copy link
Member Author

tfr42 commented Dec 15, 2021

The TMC has the notion to replace log4j in future versions of deegree, see issue #1248 for more information.

@tfr42
Copy link
Member Author

tfr42 commented Dec 15, 2021

MDC is broken in Java 9+ for log4j v1: https://blogs.apache.org/logging/entry/moving_on_to_log4j_2

florianesser pushed a commit to wetransform-os/deegree3 that referenced this issue Dec 17, 2021
florianesser pushed a commit to wetransform-os/deegree3 that referenced this issue Dec 17, 2021
florianesser pushed a commit to wetransform-os/deegree3 that referenced this issue Dec 17, 2021
florianesser pushed a commit to wetransform-os/deegree3 that referenced this issue Dec 17, 2021
florianesser pushed a commit to wetransform-os/deegree3 that referenced this issue Dec 17, 2021
florianesser pushed a commit to wetransform-os/deegree3 that referenced this issue Dec 17, 2021
florianesser pushed a commit to wetransform-os/deegree3 that referenced this issue Dec 17, 2021
florianesser pushed a commit to wetransform-os/deegree3 that referenced this issue Dec 17, 2021
florianesser pushed a commit to wetransform-os/deegree3 that referenced this issue Dec 17, 2021
florianesser pushed a commit to wetransform-os/deegree3 that referenced this issue Dec 17, 2021
florianesser pushed a commit to wetransform-os/deegree3 that referenced this issue Dec 17, 2021
florianesser pushed a commit to wetransform-os/deegree3 that referenced this issue Dec 17, 2021
florianesser pushed a commit to wetransform-os/deegree3 that referenced this issue Dec 17, 2021
florianesser pushed a commit to wetransform-os/deegree3 that referenced this issue Dec 17, 2021
florianesser pushed a commit to wetransform-os/deegree3 that referenced this issue Dec 17, 2021
florianesser pushed a commit to wetransform-os/deegree3 that referenced this issue Dec 17, 2021
florianesser pushed a commit to wetransform-os/deegree3 that referenced this issue Dec 17, 2021
florianesser pushed a commit to wetransform-os/deegree3 that referenced this issue Dec 17, 2021
florianesser pushed a commit to wetransform-os/deegree3 that referenced this issue Dec 17, 2021
florianesser pushed a commit to wetransform-os/deegree3 that referenced this issue Dec 17, 2021
@tfr42
Copy link
Member Author

tfr42 commented Dec 20, 2021

Log4j 2.16.0 is available with deegree webservices 3.4.21.

Since there is a new security warning CVE-2021-45105 which requires to upgrade to log4j 2.17.0, see PR #1253 and #1252 .

@tfr42
Copy link
Member Author

tfr42 commented Dec 22, 2021

Log4j 2.17.0 will be available with deegree webservices 3.4.22.

@tfr42
Copy link
Member Author

tfr42 commented Jan 3, 2022

Release 3.4.22 is available https://github.com/deegree/deegree3/releases/tag/deegree-3.4.22

@tfr42
Copy link
Member Author

tfr42 commented Jan 3, 2022

Log4j 2.17.1 will be available with deegree webservices 3.4.23.

@tfr42
Copy link
Member Author

tfr42 commented Jan 12, 2022

Users can still use log4j 1.x configuration files if needed, see https://logging.apache.org/log4j/2.x/manual/migration.html#Log4j1.2Bridge for more information.

@tfr42
Copy link
Member Author

tfr42 commented Jan 19, 2022

Release 3.4.23 is available https://github.com/deegree/deegree3/releases/tag/deegree-3.4.23

@tfr42
Copy link
Member Author

tfr42 commented Jan 25, 2022

We do not plan to add any further information to this issue. Please open a new issue in case of bugs related to log4j.
Related issues are #1251 and #1248.

@tfr42 tfr42 unpinned this issue Jun 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CVE Common Vulnerabilities and Exposures enhancement enhancement or improvement ready
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants