org.slf4j:log4j-over-slf4j:jar:1.7.21:compile vulnerability - log4j

We need to migrate to log4j 2.17 if we are using log4j jar, mvn dependency: tree showing only log4j-over-slf4j:jar. so I assume app is safe as it will redirect call to sl4j not to log4j.
Please confirm my app is safe with this jar without any remediation.?

In the SLF4J website, in the Comments on the log4shell(CVE-2021-44228) vulnerability they state that:
If you are using log4j-over-slf4j.jar in conjunction with the SLF4J API, you are safe unless the underlying implementation is log4j 2.x.
So it basically depends on how you're implementing the logs' generation. Slf4j natively uses logback. But to be sure, you can check your pom.xml and see if log4j is mentioned there.

Related

Is it possible to configure log4j to use a proxy are part of its connections out to Splunk, Datadog, etc?

If log4j doesn't support this then is there some drop-in replacement for log4j that does? I've gone through the docs and lots of google searches, unfortunately all search results come up with "exploit" or "vulnerability" articles.
Splunk provides a splunk-library-javalogging that has appenders for both Log4j2 Core (the reference Log4j2 API implementation) and Logback (the reference SLF4J API implementation).
The appenders use OkHttp 3.x under the hood, so they will behave as all OkHttp-based components. Since splunk-library-javalogging does not set either a proxy nor a proxySelector explicitly (cf. source code), OkHttp falls back to the system wide ProxySelector.
Without any code modification on your part you can use the JVM-wide proxy settings as in this question.
Remark: if by log4j you are referring to Log4j 1.x, you need to replace the log4j:log4j artifact with either log4j-over-slf4j (which forwards to the SLF4J API) or log4j-1.2-api (which forwards to the Log4j2 API).

How To attach Logback to smartfox server

How do I attach logback to smartfox server?
smartfox uses log4j by default. How can I shift logging of my extensions/all of smartfox to logback?
I've tried this but this is failing with this error cause it has already boud to log4j I guess.
SmartFoxServer 2x uses Simple Logging Facade for Java (SLF4J) for logging. The very purpose of SLF4J is to provide a facade over the logging framework so the user can replace one logging framework with another. In your case log4J with Logback. I'll first explain how SLF4J works and how you can change one logging framework with another and briefly discuss some caveats. Then I'll cover some SmartFoxServer specifics.
Simple Logging Facade for Java Architecture
SLF4J provides API which serves as facade (abstraction layer) over the actual logging framework. This allows the user to easily switch between frameworks on deployment time without the need to change the code. But it also means that SLF4J on its own is not enough - the default implementation is no-op. In order to actually log anything you need actual logging framework (such as log4j or logback) and so called "binder" which servers as a bridge or adapter between SLF4J and the logging framework.
Swapping Logging Frameworks
The SLF4J User Manual provides detailed explanation on how you can swap one framework with another during deployment time. In short you just need to delete the old binder and logging framework and add the new binder and the new logging framework. To swap log4 with logback you need to delete slf4j-log4j12 and log4j jars and add logback-classic and logback-core.
Caveats
You should make sure that there is only one binder implementation in the classpath. Having more than one causes waring, not error. SLF4J would just pick one of the implementations. But I would not rule out the possibility for this to cause issues with more complex application (such as SmartFoxServer) that uses multiple class loaders. But more importantly you should make sure the SLF4J API, the binder and the logging framework versions are compatible. For example if you use old version of SLF4J with newer version of logback that may cause ClassNotFoundException. I suspect that this could be reason why you get the error you see.
Swapping lof4j with Logback as logging framework for SmartFoxServer 2x
SmartFoxServer 2x version 2.17.3 uses SLF4J API version 1.7.5. To swap log4j you need to first delete lib/slf4j-log4j12-1.7.5.jar and then add compatible version of logback-classic and logback-core jars. For example logback-classic 1.1.0 and logback-core 1.1.0.
You can delete lib/log4j-1.2.15.jar but I would rather keep it. The binder(lib/slf4j-log4j12-1.7.5.jar) is not meant to be used directly so it should be safe to be deleted. On other hand there are libraries that use log4j directly. I don't know if SmartFoxServer 2x uses any such library but it is safer to keep it just in case. Swapping the binder is enough for SLF4J to use Logback and ignore log4j.
Logger Output
SmartFoxServer 2x parses the logger output to provide some functionality such as the Admin Log Viewer. If you change the log output this may cause this functionality to stop working and maybe even cause other issues (on theory it should not, but you never know). There is configuration file (config/logParser.properties) that would allow you to configure the log parser, but I didn't found any documentation about it. You may try to ask on the SmartFoxServer forum. The developers are actually pretty active there so they may help.
Swapping loggers only for your extension
The instruction I gave swaps the logger for all extensions and SmartFoxServer. If you want you may try to swap them only for your extensions. But I'm not quite sure if and how that would work. Each class extension uses its own class loader but this provides isolation between extensions and SmartFoxServer and extensions, but not between extension and SmartFoxServer. What does this mean is that if you add lib.jar to Extension A classpath it would not be visible to Extension B or to SmartFoxServer code. But if you add lib.jar to the SmartFoxServer classpath it would be visible to both Extension A and Extension B. As SmartFoxServer already contains SLF4J API on its classpath you should not add it to your extension classpath. You can try to add logback-classic and logback-core to you extension classpath. But in this case you'll have two binder implementations in you extension classpath (logback and log4j from the SmartFoxServer classpath). As already discussed, I'm not quite sure how and if this would work.
Conclusion
SLF4J provides an easy way to swap logging frameworks, but there some caveats. And SmartFoxServer adds some caveats on its own. Unless SmartFoxServer team supports swapping of the underlaying logging framework (which judging by some anwers in their forum, they don't), I would be quite careful and do such swap only if there are some benefits and it is not just a matter of personal preference.

Empty PropertyConfigurator implementation in log4j-1.2-api

I'm upgrading Log4j-1.2.17 to Log4j2-2.12.2 in my project.
To do that I'm using the log4j-1.2 bridge.
In old version I use property file to configure log4j.
After upgrade everything looks ok, no errors, no warnings. But logs don't appear in file pointed in properties file.
I realized that PropertyConfigurator.class exists in log4j-1.2-api.jar, but methods don't have implementation.
empty PropertyConfigurator.configure(Properties properties)
Can you explain me that?
Which configuration syntax is correct when I use log4j-1.2-api.jar? log4j or log4j2?
Prior to Log4j 2.13.0 log4j-1.2-api only provides compatibility for applications that used the log4j 1.x API for logging. The Log4j 2 configuration is still used as all logging calls are redirected to Log4j 2. So only the Log4j 2 configuration syntax would be valid.
Many of the old log4j 1.x internal classes are also present because many applications were using them in an attempt manually manipulate logging, much of which probably isn't necessary with Log4j 2.
In Log4j 2.13.0 the log4j-1.2-api was extended to provide experimental support for Log4j 1.x configuration files. You would have to compare your log4j 1 configurations with the documentation to determine if that support will work for you. However, the Log4j 1.x PropertyConfigurator still will be a no-op even with the compatibility support.

org.jxls seems to affect log4j

When I add org.jxls dependency to pom,it seems to affect log4j outputs.I set log4j log level "ERROR",but it outputs DEBUG infomation to console.But when I remove org.jxls,log4j works right.
Although Jxls-2 uses SLF4J as a logging facade it has a dependency to Logback because it uses some if its XML processing utilities.
If you do not use Logback but another logging framework (e.g. log4j) and configured SLF4J binding you can still end up with "Class path contains multiple SLF4J bindings" warning.
Currently there is a bug in Jxls-2 to remove the Logback dependency.
Until it is fixed you may need to have a logback.xml in your classpath.
Update
The issue is now resolved in JXLS v2.2.9 .
So now it should be possible to plugin any logging framework following the instructions in SLF4J manual

Why log4J not working after adding apache CXF?

I have developed small web application using JSF, and i add log4j to handle logging. Everything works perfectly until i implement add web service in my web application. After implement webservice using apache CXF I'm not getting any logs in my log file, but can get logs in eclipse console. I don't know why, it behave like that? My log file simply show messages like
i'm using jdk1.5, log4j 1.2.15 and CXF 2.6.11. Also i was tried some solutions from apache to use log4j instead of cxf default logger. please refer http://cxf.apache.org/docs/debugging-and-logging.html#DebuggingandLogging-LoggingMessages
But recommended solutions are not worked for me. How can i solve this issue?
It is possible that CXF introduces another log mechanism which means adds a yet another logging mechanism, or the imported versions of slf4j/log4j are not compatible.
I would recommend you to check the CXF pom file, and exclude all the log4j/slf4j jar files.
As #Arash said, remove log4j from classpath (if present). Also add the file META-INF/cxf/org.apache.cxf.Logger to the classpath with the following content:
org.apache.cxf.common.logging.Slf4jLogger
Reference: Using SLF4J Instead of java.util.logging
Problem was solved by removing slf4j-jdk14.jar from CXF. Actually Problem is "Class path contains multiple SLF4J bindings". So i removed CXF log4j binding. Now it's working perfectly. Thanks for all.

Resources