Details
Description
log4j 1.2.17 is not supported and contains critical vulnerabilities
https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces
I suggest excluding the ignite-log4j module from ignite
Direct vulnerabilities:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571
As a result of the mentioned migration, the following changes will be applied:
1. ignite-log4j.xml will be migrated to log4j2 format.
2. core/src/test/config/log4j-test.xml will not be migrated to log4j2 because it is used with compatibility tests.
3. core/src/test/config/log4j2-test.xml is refactored to suite current log4j format. The current version of core/src/test/config/log4j2-test.xml is moved to the log4j2/src/test/config folder.
4. osgi-paxlogging will be removed because it's only meant to provide some log4j dependencies. We have no need in them now.
5. Exception logging format will change slightly:
Before:
class org.apache.ignite.IgniteException: Platform error:System.Exception: EXCEPTION_TEST_Warn at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) at org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67)
After:
org.apache.ignite.IgniteException: Platform error:System.Exception: EXCEPTION_TEST_Warn
at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449)
at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511)
at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575)
at org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67)
As you can see, only the first word "class" is omitted.
6. All other files containing log4j configuration will be refactored to suite log4j2 and will be renamed if previously their name allowed log4j to automatically find them in the class path (e.g. log4j.xml -> log4j2.xml and so on)
Attachments
Issue Links
- Blocked
-
IGNITE-16651 [nodejs-thin-client] replace logger with ignite-log4j2
-
- Resolved
-
- relates to
-
IGNITE-11486 Support Automatic modules for ignite-zookeeper: Migrate to log4j2 to resolve issues with logging packages conflict
-
- Open
-
-
IGNITE-16728
[ducktests] Change logger to log4j2
-
- Resolved
-
- links to
