log4j | Mirror of Apache log4j

 by   apache Java Version: Current License: Apache-2.0

kandi X-RAY | log4j Summary

kandi X-RAY | log4j Summary

log4j is a Java library typically used in Logging applications. log4j has no bugs, it has build file available, it has a Permissive License and it has medium support. However log4j has 3 vulnerabilities. You can download it from GitHub.

Mirror of Apache log4j
Support
    Quality
      Security
        License
          Reuse

            kandi-support Support

              log4j has a medium active ecosystem.
              It has 752 star(s) with 478 fork(s). There are 103 watchers for this library.
              OutlinedDot
              It had no major release in the last 6 months.
              log4j has no issues reported. There are 12 open pull requests and 0 closed requests.
              It has a neutral sentiment in the developer community.
              The latest version of log4j is current.

            kandi-Quality Quality

              log4j has 0 bugs and 0 code smells.

            kandi-Security Security

              OutlinedDot
              log4j has 3 vulnerability issues reported (2 critical, 0 high, 0 medium, 1 low).
              log4j code analysis shows 0 unresolved vulnerabilities.
              There are 0 security hotspots that need review.

            kandi-License License

              log4j is licensed under the Apache-2.0 License. This license is Permissive.
              Permissive licenses have the least restrictions, and you can use them in most projects.

            kandi-Reuse Reuse

              log4j releases are not available. You will need to build from source code and install.
              Build file is available. You can build the component from source.

            Top functions reviewed by kandi - BETA

            kandi has reviewed log4j and discovered the below as its top functions. This is intended to give you an instant insight into log4j implemented functionality, and help decide if they suit your requirements.
            • Parse configuration element .
            • Create a pattern converter .
            • Creates an abbreviation from a string .
            • Sets the log type .
            • Parse an appender name .
            • Convert String to Level
            • Check if there is any existing files .
            • Create factor factors .
            • Format an element .
            • Find the millisecond start .
            Get all kandi verified functions for this library.

            log4j Key Features

            No Key Features are available at this moment for log4j.

            log4j Examples and Code Snippets

            Setter for log4j .
            javadot img1Lines of Code : 7dot img1License : Permissive (MIT License)
            copy iconCopy
            private static void setLogger() throws IOException {
                    InputStream is = HasNextVsHasNextLineDemo.class.getResourceAsStream("/scanner/log4j.properties");
                    Properties props = new Properties();
                    props.load(is);
                    LogManager.res  

            Community Discussions

            QUESTION

            spark-shell throws java.lang.reflect.InvocationTargetException on running
            Asked 2022-Apr-01 at 19:53

            When I execute run-example SparkPi, for example, it works perfectly, but when I run spark-shell, it throws these exceptions:

            ...

            ANSWER

            Answered 2022-Jan-07 at 15:11

            i face the same problem, i think Spark 3.2 is the problem itself

            switched to Spark 3.1.2, it works fine

            Source https://stackoverflow.com/questions/70317481

            QUESTION

            How to quickly detect and remove log4j classes from our code base and the base image? "mvn dependency:tree" does not check base image
            Asked 2022-Mar-21 at 09:08

            We are building an app based on Red Hat JBoss AMQ 6. We wrap some Java code around the base image to provide extra functionalities which are lacking in AMQ 6.

            Now, when the CVE of Log4j stroke, we found that this component is vulnerable because it uses log4j 1.x. Now I don't just mean our Java code uses it, but also the base image of Red Hat AMQ 6 uses it. As AMQ 6 is EOL now, Red Hat does not provide support anymore, so there will not be official releases with fix.

            So, how do I remove vulnerable log4j 1.x classes from:

            • my Java code
            • the base image

            ?

            I am building with jib maven plugin.

            It seems mvn dependency:tree only gives info about our Java wrapper code, not about the base image. And I don't understand what does the "+" and "-" mean while it gives output like this:

            ...

            ANSWER

            Answered 2022-Mar-21 at 09:08
            Step 1: Dealing with our wrapping Java code base

            For our code, we do:

            Source https://stackoverflow.com/questions/70333482

            QUESTION

            log4js-node-DEP0004 - Deprecation warning in Angular 12 karma unit tests
            Asked 2022-Feb-16 at 17:00

            I'm getting the following deprecation warning when running unit tests in a brand new Angular 12 application:

            (node:14940) [log4js-node-DEP0004] DeprecationWarning: Pattern %d{DATE} is deprecated due to the confusion it causes when used. Please use %d{DATETIME} instead.

            why log4js prompts "karma" depends on it. The warning itself is clear as to what should be done but there are two key missing pieces of information:

            • it doesn't say when/if the old syntax will stop working
            • it doesn't provide a workaround (other than forking karma and replacing the deprecated syntax with the new one - which I'm definitely not going to do).

            Downgrading log4js to an earlier version, which doesn't output the warning, using forceResolutions doesn't seem like a good idea, especially since I've found a few github threads related to vulnerabilities in it, although karma doesn't seem to be affected.

            The question: are there actionable paths for not getting the warning, or is "and now we wait" (for a karma update) the only option?

            Note: I've also asked it on karma's repo.

            ...

            ANSWER

            Answered 2022-Feb-16 at 17:00

            Got the fix from karma maintainers:

            Update karma (in package.json > devDependencies.karma) to ^6.3.12.

            Warnings gone. Well done, karma. That was fast!

            Source https://stackoverflow.com/questions/70841924

            QUESTION

            nexus-staging-maven-plugin: maven deploy failed: An API incompatibility was encountered while executing
            Asked 2022-Feb-11 at 22:39

            This worked fine for me be building under Java 8. Now under Java 17.01 I get this when I do mvn deploy.

            mvn install works fine. I tried 3.6.3 and 3.8.4 and updated (I think) all my plugins to the newest versions.

            Any ideas?

            ...

            ANSWER

            Answered 2022-Feb-11 at 22:39

            Update: Version 1.6.9 has been released and should fix this issue! 🎉

            This is actually a known bug, which is now open for quite a while: OSSRH-66257. There are two known workarounds:

            1. Open Modules

            As a workaround, use --add-opens to give the library causing the problem access to the required classes:

            Source https://stackoverflow.com/questions/70153962

            QUESTION

            Log4j vulnerability - Is Log4j 1.2.17 vulnerable (was unable to find any JNDI code in source)?
            Asked 2022-Feb-01 at 15:47

            With regard to the Log4j JNDI remote code execution vulnerability that has been identified CVE-2021-44228 - (also see references) - I wondered if Log4j-v1.2 is also impacted, but the closest I got from source code review is the JMS-Appender.

            The question is, while the posts on the Internet indicate that Log4j 1.2 is also vulnerable, I am not able to find the relevant source code for it.

            Am I missing something that others have identified?

            Log4j 1.2 appears to have a vulnerability in the socket-server class, but my understanding is that it needs to be enabled in the first place for it to be applicable and hence is not a passive threat unlike the JNDI-lookup vulnerability which the one identified appears to be.

            Is my understanding - that Log4j v1.2 - is not vulnerable to the jndi-remote-code execution bug correct?

            References

            This blog post from Cloudflare also indicates the same point as from AKX....that it was introduced from Log4j 2!

            Update #1 - A fork of the (now-retired) apache-log4j-1.2.x with patch fixes for few vulnerabilities identified in the older library is now available (from the original log4j author). The site is https://reload4j.qos.ch/. As of 21-Jan-2022 version 1.2.18.2 has been released. Vulnerabilities addressed to date include those pertaining to JMSAppender, SocketServer and Chainsaw vulnerabilities. Note that I am simply relaying this information. Have not verified the fixes from my end. Please refer the link for additional details.

            ...

            ANSWER

            Answered 2022-Jan-01 at 18:43

            The JNDI feature was added into Log4j 2.0-beta9.

            Log4j 1.x thus does not have the vulnerable code.

            Source https://stackoverflow.com/questions/70310980

            QUESTION

            How to give certificate to Java Websocket?
            Asked 2022-Jan-20 at 10:33

            Forgive me for the newb question, but I am confused and obviously not understanding the fundamentals or explanations of how to use a Websocket server hosted over HTTPS. Everything I find online leads me to have more questions than answers.

            I have a Websocket server hosted on my HTTPS website using Java code.

            This is my WebsocketServer.java file:

            ...

            ANSWER

            Answered 2022-Jan-13 at 14:50

            Keep it easy.
            Certs inside your application are complex - they are hard to manage and you will get problems to run your application in a modern cloud environment (start new environments, renew certs, scale your application, ...).

            Simple conclusion: Dont implement any certs.

            How-to get encrypted connections?

            As Mike already pointed out in the comments: WebSockets are just upgraded HTTP(S) connections. A normal webserver (nginx, apache) takes care about the certs. It can be done in kubernetes (as ingress-controller) or with a "bare-metal" webserver.
            Both of them should act as a reverse-proxy. This means: Your java-application doesn't know anything about certs. It has just unencrypted connections - like in your code on port 6868.
            But the client will not use this port. 6868 is only internally reachable.

            The client will call your reverse-proxy at the normal HTTPS port (=443). The reverse-proxy will forward the connection to your java-application.

            Here some links for further information:

            Source https://stackoverflow.com/questions/70654559

            QUESTION

            Upgrade Apache Solr 8.10.1 log4j 2.14.1 version to 2.15 to address critical vulnerability
            Asked 2022-Jan-19 at 09:31

            Recently a critical log4j vulnerability was discovered.

            I want to upgrade the log4j as used by my current Solr instance, so I checked here. However, I don't see a log4j.properties file in "/server/resources/" folder. All I see there is:

            • jetty-logging.properties
            • log4j2.xml
            • log4j2-console.xml

            None of these files contain a version. So to upgrade, is it safe to download the latest version of log4j and overwrite the existing jars in folder "\solr-8.10.1\server\lib\ext", or what are the recommended steps to upgrade?

            ...

            ANSWER

            Answered 2021-Dec-13 at 15:51

            The link you're pointing to is for an older version of Solr (6.6 instead of 8.10.1). The correct version is https://solr.apache.org/guide/8_10/configuring-logging.html where it mentions using log4j 2.

            The file log4j2.xml (and even `log4j.properties for that matter) configure the logging itself, not the version of log4j. So updating that file is irrelevant.

            Here's what the project page recommends:

            2021-12-10, Apache Solr affected by Apache Log4J CVE-2021-44228

            ...

            Description: Apache Solr releases prior to 8.11.1 were using a bundled version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Log4J security page.

            ...

            Mitigation: Any of the following are enough to prevent this vulnerability for Solr servers:

            • Upgrade to Solr 8.11.1 or greater (when available), which will include an updated version of the log4j2 dependency.
            • Manually update the version of log4j2 on your runtime classpath and restart your Solr application.
            • (Linux/MacOS) Edit your solr.in.sh file to include: SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
            • (Windows) Edit your solr.in.cmd file to include: set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true
            • Follow any of the other mitgations listed at https://logging.apache.org/log4j/2.x/security.html

            What you're proposing (overwrite the existing jars in folder "\solr-8.10.1\server\lib\ext") seems like the second approach, so it should probably work fine. Just make sure this is the correct place that contains the log4j dependency.

            Source https://stackoverflow.com/questions/70337252

            QUESTION

            Was slf4j affected with vulnerability issue in log4j
            Asked 2022-Jan-13 at 05:18

            I have implemented a POC and have used slf4j for logging. The zero day vulnerability issue in log4j, did that also impact slf4j logs?

            ...

            ANSWER

            Answered 2022-Jan-03 at 22:16

            It depends. Slf4j is just an api, that can be using behind any of its implementions, being log4j just one. Check which one is using on the back, and if this is log4j and between versions 2.0.0 and 2.15.0 (2.15.0 is the one with the fix, versions 1.x are not affected) you should update it (if it is exposed to users directly or indirectly)

            Source https://stackoverflow.com/questions/70353248

            QUESTION

            wildfly 16, log4j 2.17.0, NoSuchFieldError: EMPTY_BYTE_ARRAY
            Asked 2022-Jan-11 at 17:22

            I get an error during wildfly startup with the following message:

            NoSuchFieldError: EMPTY_BYTE_ARRAY

            The message also say that this error occurs in undertow deployment. Could anybody give me a hint of what is going on here and how to solve that?

            Below is the beginning of the stack trace.

            ...

            ANSWER

            Answered 2021-Dec-26 at 15:35

            You need to exclude the API module from your deployment. Your other option is to use WildFly 26 which include the 2.16 version of the API.

            Source https://stackoverflow.com/questions/70474648

            QUESTION

            How to run Spark SQL Thrift Server in local mode and connect to Delta using JDBC
            Asked 2022-Jan-08 at 06:42

            I'd like connect to Delta using JDBC and would like to run the Spark Thrift Server (STS) in local mode to kick the tyres.

            I start STS using the following command:

            ...

            ANSWER

            Answered 2022-Jan-08 at 06:42

            Once you can copy io.delta:delta-core_2.12:1.0.0 JAR file to $SPARK_HOME/lib and restart, this error goes away.

            Source https://stackoverflow.com/questions/69862388

            Community Discussions, Code Snippets contain sources that include Stack Exchange Network

            Vulnerabilities

            Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
            Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
            CVE-2017-5645 CRITICAL
            In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

            Install log4j

            You can download it from GitHub.
            You can use log4j like any standard Java library. Please include the the jar files in your classpath. You can also use any IDE and you can run and debug the log4j component as you would do with any other Java program. Best practice is to use a build tool that supports dependency management such as Maven or Gradle. For Maven installation, please refer maven.apache.org. For Gradle installation, please refer gradle.org .

            Support

            For any new features, suggestions and bugs create an issue on GitHub. If you have any questions check and ask questions on community page Stack Overflow .
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
            CLONE
          • HTTPS

            https://github.com/apache/log4j.git

          • CLI

            gh repo clone apache/log4j

          • sshUrl

            git@github.com:apache/log4j.git

          • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link