Uploaded image for project: 'Log4j 2'
  1. Log4j 2
  2. LOG4J2-1110

org.apache.logging.log4j.jul.CoreLogger.setLevel() checks for security permission too late

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.3
    • Fix Version/s: 2.4
    • Component/s: JUL adapter
    • Labels:
      None

      Description

      org.apache.logging.log4j.jul.CoreLogger.setLevel() checks for security permission too late.

      The JUL Javadocs https://docs.oracle.com/javase/7/docs/api/java/util/logging/Logger.html#setLevel(java.util.logging.Level) state:

      Throws:
      SecurityException - if a security manager exists and if the caller does not have LoggingPermission("control").

      Our impl org.apache.logging.log4j.jul.CoreLogger.setLevel(Level):

          @Override
          public void setLevel(final Level level) throws SecurityException {
              logger.setLevel(LevelTranslator.toLevel(level));
              super.doSetLevel(level);
          }
      

      Checks for perms through super.doSetLevel(level) which is too late since our logger is already modified.

      The fix is to switch the two calls:

          @Override
          public void setLevel(final Level level) throws SecurityException {
              super.doSetLevel(level);
              logger.setLevel(LevelTranslator.toLevel(level));
          }
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              garydgregory Gary Gregory
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: