Apache avro scanning shows the log4j vulnerability.
How to get rid of it?
Tried with:
java -jar target/log4j-detector-latest.jar /c/workspace/sampleApp
-- github.com/mergebase/log4j-detector v2021.12.29 (by mergebase.com) analyzing paths (could take a while).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
C:\workspace\sampleApp\target\SampleApp\WEB-INF\lib\avro-tools-1.9.1.jar contains Log4J-1.x <= 1.2.17 OLD
I have tried to upgrade to avro-tools version 1.11.0 that too shows the same issue.
You can modify the JAR file and delete the following files that belong to log4j 1.x within the JAR file to mitigate the vulnerabilities. They are present in the folder /org/apache/log4j/net/ within the JAR:
JMSAppender.class
SocketServer.class
SocketAppender.class
SMTPAppender.class
SMTPAppender$1.class
Once deleted these classes can no longer be used by a log4j logging configuration (which is the way to trigger the vulnerabilities).
If the application does not work after the modification it needs to be migrated to use a newer log4j 2.x version: Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later)) - see https://logging.apache.org/log4j/2.x/
Related
I'm trying to upgrade the logback-classic library from version 1.2.3 to 1.2.8. The patch notes say that all DB related code has been removed, so the main DBAppender class no longer exists in the new version https://logback.qos.ch/news.html. Has anyone found some kind of upgrade guide or know of a workaround solution?
Please see https://logback.qos.ch/news.html.
2022-04-20, Release of logback.db version 1.2.11.1
As of logback version 1.2.8 DBAppender no longer ships with logback.
However, DBAppender for logback-classic is available under the
following Maven coordinates:
ch.qos.logback.db:logback-classic-db:1.2.11.1
and for logback-access under
ch.qos.logback.db:logback-access-db:1.2.11.1
Both of these artifacts require
ch.qos.logback.db:logback-core-db:1.2.11.1 which will be pulled in
automatically by Maven's transitivity rules.
I was wondering the same thing after upgrading spring to the 2.6.3 which pulls in logback version 1.2.8+ through spring-boot-starter-logging dependency.
According to logback's site: https://logback.qos.ch/news.html in version 1.2.8: "2) we have removed all database (JDBC) related code in the project with no replacement."
My logback xml configuration file has a custom DB Appender in it and the application failed to build with the following error:
Could not create an Appender of type [ch.qos.logback.classic.db.DBAppender]. ch.qos.logback.core.util.DynamicClassLoadingException: Failed to instantiate type ch.qos.logback.classic.db.DBAppender
After doing some research, I found a ticket in the logback backlog with a request to document how to proceed. https://jira.qos.ch/browse/LOGBACK-1609
Apparently the DB appender was removed due to a vulnerability.
According to the developer: "The source code is still there. Until this issue is resolved, you can fetch the code from tag 1.2.8 and rebuild. The DBAppender issue is a bit more complex than what people think. As you can imagine, we have a lot on my plate these days but we'll get to it eventually."
So it sounds like the code was removed while they work on a fix and support will be added back eventually. I wouldn't count on a quick fix though.
As a workaround I have pinned the logback version in my projects gradle file so that I can use the latest version of spring along with the latest version of logback that still supports the DB appender class.
Here is the syntax I used:
ext['logback.version'] = '1.2.7'
After the log4j zero-day vulnerability, we started to look if there are any more artifacts that are using either slf4J or lower versions of log4j.
Checking the mvn dependency tree we have figured that spring-security-saml2-core is using slf4j, and we tried to exclude that from the artifact. However, we are receiving the below runtime exception :
-java.lang.NoClassDefFoundError: org/slf4j/LoggerFactory
at org.opensaml.DefaultBootstrap.getLogger(DefaultBootstrap.java:246)
at org.opensaml.DefaultBootstrap.initializeXMLSecurity(DefaultBootstrap.java:189)
at
If you are referring to the CVE-2021-44228 vulnerability (aka. Log4Shell) then Slf4J is not the vulnerable library so you don't have to exclude it. Only Log4j-core is affected by this particular vulnerability for versions between 2 until before 2.15.0
See https://nvd.nist.gov/vuln/detail/CVE-2021-44228
There are other known vulnerabilities at the moment (and many that are still probably waiting to be discovered), as #eray-tufay points out. The example he gives is https://cve.report/CVE-2021-4104:
Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default
So, to be protected against current and future vulnerabilities:
include in your build pipeline an automatic check against new vulnerabilities, like https://owasp.org/www-project-dependency-check/
constantly upgrade your dependendencies to use the latest versions
Eclipse, Selenium, Windows
The import org.apache.log4j cannot be resolved
I have followed all the documented steps I can find, i.e.:
1) the following two jar files are in the project build-path:
log4j-core-2.6.2.jar and log4j-api-2.6.2.jar
2) the above two jar files are located in the following folder:
C:\eclipse\apache-log4j-2.6.2-bin
3) The above folder is in my system CLASSPATH environment variable C:\eclipse\apache-log4j-2.6.2-bin
4) The project contains the following log4j.properties file in the project root
# This sets the global logging level and specifies the appenders
log4j.rootLogger=INFO, theConsoleAppender
# settings for the console appender
log4j.appender.theConsoleAppender=org.apache.log4j.ConsoleAppender
log4j.appender.theConsoleAppender.layout=org.apache.log4j.PatternLayout
log4j.appender.theConsoleAppender.layout.ConversionPattern=%-4r [%t] %-5p %c %x - %m%n
5) I have cleaned the project
6) failing import is: import org.apache.log4j.Logger;
Intermittently I am also getting this error message
"The type org.apache.log4j.Logger cannot be resolved. It is indirectly referenced from required .class files" at the first line:
package com.example;
This error disappears when I do a project -> Clean
but the error on import of log4j persists.
Any thoughts would be greatly appreciated.
If you are getting this error it means your application or one of its dependencies uses the Log4j 1.2 API.
The org.apache.log4j package is the Log4j 1.2 namespace. Log4j 2 uses the org.apache.logging.log4j namespace. Log4j 1.2 became End of Life in 2015 and users are recommended to upgrade to Log4j 2.
You already have the correct log4j-api-2.x.jar and log4j-core-2.x.jar in your classpath, the only thing missing is the log4j-1.2-api-2.x.jar. log4j-1.2-api is an adapter module that ensures your application's calls to the Log4j 1.2 API are delegated to the Log4j 2 implementation.
Please ensure the old log4j-1.2.x.jar is removed from the classpath.
Finally, the configuration you showed seems to be for Log4j 1.2 and will not work with Log4j 2. The Log4j 2 manual has many example configurations. (The documentation alone is reason to upgrade, it is so much better in Log4j 2.) See for example the section on the Console appender or the File appender.
Log4j 2 also supports a properties configuration format (but the syntax differs from the log4j 1.2 properties format).
Check your Eclipse version and log4j dependency version. If 1.2.17 is not working then check using 1.2.16.
I just picked up an existing web application at work that is supposed to log its activity using Log4J. I've configured my workspace exactly as I was told to and everything else (db connection, authentication, etc...) works fine except that the nothing is being written to the log file. Other similar applications have no problem logging.
I've looked at the WebSphere console when the application starts up and there are no errors there that might indicate why Log4J isn't logging.
I mentioned this to another dev (who once worked on this application, but not for a while and is more out of date than I am on it) who remarked that it was very strange behaviour, but had no idea why it might fail to log and not report any errors.
I've gone over the config file and properties file and everything looks OK. I suspect that Log4J is never even reading the log4j.xml but I'm not certain of that. It's been a while since I've worked with Log4J - does anyone have some good tips on trouble-shooting this type of problem?
PS: There are instances of this application that are deployed to various test/QA/prod servers and these instances all log fine. It's only on local workstations that logging seems to silently fail.
Update: So it does seem to be a problem with the way the application is being deployed.
I changed the classloader mode to "Parent Last" and I can see that the Log4J file is at least being read now. And the first action I attempt triggers a ClassNotFoundException saying that org.apache.commons.logging.impl.Log4jFactory cannot be found.
2nd Update:
I've noticed something stranger... The application has two WAR projects - one of them is for the UI and the other is for some web services. The project that is for the UI is successfully logging its operations to the log file. The web service project is the one that fails with the ClassNotFoundException. Both of them have commons-logging.jar listed as a JavaEE module dependency, and neither of them have a project-specific logging configuration (all config files are in a Resources project).
A major difference is that that UI project includes some other in-house frameworks (pre-compiled as JARs) that might already include necessary logging configurations and maybe that's where the difference is.
I also tried to use the answer (a file named org.apache.commons.logging.LogFactory in the META-INF/services with one line containing: "org.apache.commons.logging.impl.Log4jFactory") from this question: Websphere all logs are going to SystemOut.log but it did not seem to help.
See this answer:
How to initialize log4j properly?
-Dlog4j.debug is very useful for problems like this
The most recent thing I changed that finally got logging working properly was changing the classloader mode to "PARENT_FIRST" and WAR classloader policy to "Application". The initial default configuration was "PARENT_FIRST"/"Module". I changed it to "PARENT_LAST"/"Application" on the advice of a co-worker who says logging works fine for them and this is the only change they have to make when they create a new sandbox for this application. I'm not sure why I had to go with "PARENT_FIRST"/"Application", but at least it works now.
UPDATE:
I tried setting up a new workspace and I had the same problem. It turns out you need "PARENT_FIRST"/"Application" AND a file named org.apache.commons.logging.LogFactory in the META-INF/services with one line containing: "org.apache.commons.logging.impl.Log4jFactory". Not having the file causes logging to fail (typically with a message saying that a Log4J cannot be found).
just my two cents - i had something like this happening - but in my case i could see some output from my logging calls. it was just apparent that the configuration was picked up from somewhere else, and the one i was changing didn't have any impact.
after turning on -Dlog4j.debug=true as suggested here, it was evident that log4j was picking up a file named log4j.xml situated inside my tomcat's work directory. either it was a leftover from other stuff i was doing, or it was generated somehow from some log4j configuration in one of my misconfigured libraries.
i haven't thought of erasing the contents of work directory (could have tried.. [edit: i tried and it didn't work]) - the only thing i though of was to pass hardcoded reference to my properties file through -Dlog4j.configuration=log4j.properties (didn't want to use absolute path) (it happened that i was using a properties file and not an xml) - and it worked.
[edit: well, it didn't work for the server configuration. I finally found what was wrong - some home-cooked libraries that I was including as JARs into my project, had their own log4j.xml and log4j.properties files, which were apparently read/found earlier than my own properties file - the rightest thing was to delete these redundant property files from JARs]
I realize this isn't your exact same symptom, but there are known issues with log4j if your application (or anything it uses) uses Commons Logging. See if this question/answer is relevant.
I had a problem where log4j was not showing anything in one of my projects. Turned out I had added a leading space in the classname in the log4j2.xml file. Log4j does a dictionary lookup by classname. So any leading or trailing space in the classname would render that particular entry invalid.
not able to create log file, i have used logback.xml file in spring webservice application and deployed into websphere server...But when i have used log4j.properties file it is creating log file . i have given proper dependency proper for log4j and slf4j.. logback.xml file
<file>C:/abc/myLogFile.log</file>
<append>true</append>
<encoder>
<pattern>%d [%thread] %-5level %logger{35} - %msg%n</pattern>
</encoder></appender>
`
dependency:
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${slf4j.version}</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>${logback.version}</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-core</artifactId>
<version>${logback.version}</version>
</dependency>
Specifically, I use spring only for configuring my project through ApplicationContext. In my spring xml I load some bean properties through PropertyPlaceholderConfigurer. Whenever in the dependencies I swap commons-logging-x.x with jcl-slf4j.jar the loading of the context fails with ClassNotFoundExceptions on the placeholder substitutions. Example:
In my spring.xml there is:
<bean id="testbean" class="${testbean.implementingClass}"/>
where testbean.implementingClass is defined in spring.properties:
testbean.implementingClass=my.implementation.TestClass
If I run the project using commons-logging jar all works perfectly. If I change it to jcl-slf4j then I get ClassNotFoundException that the class [${testbean.implementingClass}] was not found, i.e. it does not do the placeholder substituion. Has anyone observed this?
EDIT: My problem doesnt have to do with the jars because:
From http://www.slf4j.org/legacy.html :
Our JCL over SLF4J implementation will allow you to migrate to SLF4J gradually, especially if some of the libraries your software depends on continue to use JCL for the foreseeable future. You can immediately enjoy the benefits of SLF4J's reliability and preserve backward compatibility at the same time. Just replace commons-logging.jar with jcl-over-slf4j.jar. Subsequently, the selection of the underlying logging framework will be done by SLF4J instead of JCL but without the class loader headaches plaguing JCL. The underlying logging framework can be any of the frameworks supported by SLF4J. Often times, replacing commons-logging.jar with jcl-over-slf4j.jar will immediately and permanently solve class loader issues related to commons logging.
When you use jcl-slf4j, you have to make sure you have excluded all commons-logging dependencies from your project. Make sure there is no commons-logging jar anywhere in the classpath.