Effect of log4j vulnerability on wildfly-11.0.0-final - security

I am using wildfly-11.0.0-final. I can see the log4j-jboss-logmanager jar has a log4j 1.2.16 dependency. Will it be affected? How to mitigate this?

If you are not using the JMSAppender you shouldn't be exposed if I understand https://www.wildfly.org/news/2021/12/13/Log4j-CVEs/ correctly.

Related

How to solve vulnerability issues based on Log4j?

I found multiple vulnerability issues related to Log4j in Vulnerability assessment and it is listed below:
Apache Log4j Unsupported Version Detection
Apache Log4j 1.x Multiple Vulnerabilities
Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104)
It suggest to upgrade its version.And it comes under Pyspark package.So I uninstalled the package since I am not using it.But again the same issue found.
How can I solve this issue? Can anyone suggest a solution to solve this problem?

org.slf4j:log4j-over-slf4j:jar:1.7.21:compile vulnerability

We need to migrate to log4j 2.17 if we are using log4j jar, mvn dependency: tree showing only log4j-over-slf4j:jar. so I assume app is safe as it will redirect call to sl4j not to log4j.
Please confirm my app is safe with this jar without any remediation.?
In the SLF4J website, in the Comments on the log4shell(CVE-2021-44228) vulnerability they state that:
If you are using log4j-over-slf4j.jar in conjunction with the SLF4J API, you are safe unless the underlying implementation is log4j 2.x.
So it basically depends on how you're implementing the logs' generation. Slf4j natively uses logback. But to be sure, you can check your pom.xml and see if log4j is mentioned there.

Empty PropertyConfigurator implementation in log4j-1.2-api

I'm upgrading Log4j-1.2.17 to Log4j2-2.12.2 in my project.
To do that I'm using the log4j-1.2 bridge.
In old version I use property file to configure log4j.
After upgrade everything looks ok, no errors, no warnings. But logs don't appear in file pointed in properties file.
I realized that PropertyConfigurator.class exists in log4j-1.2-api.jar, but methods don't have implementation.
empty PropertyConfigurator.configure(Properties properties)
Can you explain me that?
Which configuration syntax is correct when I use log4j-1.2-api.jar? log4j or log4j2?
Prior to Log4j 2.13.0 log4j-1.2-api only provides compatibility for applications that used the log4j 1.x API for logging. The Log4j 2 configuration is still used as all logging calls are redirected to Log4j 2. So only the Log4j 2 configuration syntax would be valid.
Many of the old log4j 1.x internal classes are also present because many applications were using them in an attempt manually manipulate logging, much of which probably isn't necessary with Log4j 2.
In Log4j 2.13.0 the log4j-1.2-api was extended to provide experimental support for Log4j 1.x configuration files. You would have to compare your log4j 1 configurations with the documentation to determine if that support will work for you. However, the Log4j 1.x PropertyConfigurator still will be a no-op even with the compatibility support.

Why log4J not working after adding apache CXF?

I have developed small web application using JSF, and i add log4j to handle logging. Everything works perfectly until i implement add web service in my web application. After implement webservice using apache CXF I'm not getting any logs in my log file, but can get logs in eclipse console. I don't know why, it behave like that? My log file simply show messages like
i'm using jdk1.5, log4j 1.2.15 and CXF 2.6.11. Also i was tried some solutions from apache to use log4j instead of cxf default logger. please refer http://cxf.apache.org/docs/debugging-and-logging.html#DebuggingandLogging-LoggingMessages
But recommended solutions are not worked for me. How can i solve this issue?
It is possible that CXF introduces another log mechanism which means adds a yet another logging mechanism, or the imported versions of slf4j/log4j are not compatible.
I would recommend you to check the CXF pom file, and exclude all the log4j/slf4j jar files.
As #Arash said, remove log4j from classpath (if present). Also add the file META-INF/cxf/org.apache.cxf.Logger to the classpath with the following content:
org.apache.cxf.common.logging.Slf4jLogger
Reference: Using SLF4J Instead of java.util.logging
Problem was solved by removing slf4j-jdk14.jar from CXF. Actually Problem is "Class path contains multiple SLF4J bindings". So i removed CXF log4j binding. Now it's working perfectly. Thanks for all.

Log4j and Websphere 7 application server

I get below error and the log files is not created. I know log4j.properties is not being picked correctly
log4j:WARN No appenders could be found for logger
log4j jar is in lib and classpath
log4j.properties is in src folder and gets loaded to classes folder on build
I tried many ways to fix this error like adding services folder with log4j implementation class to fix WAS logging conflict also tried sfl4j
Has anyone found a way to fix log4j issue with WAS7 or later ?
You can troubleshoot Log4J itself by specifying the log4j.debug=true system variable. Then you'll know exactly what's going on with Log4J, internally.
Does your log4j.properties file contain any logger definitions? perhaps you can paste the file here?
I had this same problem (WAS ignoring my META-INF/services/org.apache.commons.logging.LogFactory file).
The problem was solved when I downgraded commons-logging to 1.0.3, to match WAS version. Check this article for more info.
Consider using the Java Logging framework instead, which is built into the standard Java Runtime Environment and requires no additional installations or configuration. The relevant classes are in the java.util.logging package and there is an overview of the process for using them here (it works in a very similar way to log4j).

Resources