Java-Reload4j: reload4j is a drop-in replacement for log4j 1.2.17

What is reload4j?

The reload4j project is a fork of Apache log4j version 1.2.17. It aims to fix the most urgent issues in log4j 1.2.17 which hasn't seen a new release since 2012. It will be a drop-in replacement for log4j.jar.

Note that End of Life (EOL) status of log4j 1.x was formally reaffirmed on January the 6th 2022, and given the need to fix critical issues in log4j 1.2.17, and the presence of several volunteers to do the work, it was decided to resuscitate log4j 1.x under the name "reload4j" as a drop-in replacement.

Project web-site: https://reload4j.qos.ch

You can see open issues can be found at open issues or report new issues in https://jira.qos.ch.

All steps undertaken in the project are first published on jira and discussed on the mailing list.

Comments

  • Move chainsaw, net, jdbc, jmx, ... into separate artifacts
    Move chainsaw, net, jdbc, jmx, ... into separate artifacts

    Jan 13, 2022

    Vladimir Sitnikov : It would allow clients to depend on the reduced feature set, and they will be secured in face of unknown vulnerabilities

    task 
    Reply
  • ci: set up GitHub Actions
    ci: set up GitHub Actions

    Jan 14, 2022

    The project targets Java 1.5, so Java 8 should be used for the compilation. However, the tests are run with the current JAVA_HOME, so when running Maven with Java 17 the tests use Java 17.

    Sample CI output: https://github.com/vlsi/reload4j/actions/runs/1696556736

    Reply
  • Add .editorconfig and .gitattributes for consistent handling of whitespace and newlines
    Add .editorconfig and .gitattributes for consistent handling of whitespace and newlines

    Jan 14, 2022

    This PR goes on top of #12, so I suggest merging #12 first or just updating branch_1.2.18 to b04ec2b89b3b4b1575ec7e7e02372c900d2a573e which includes both PRs.

    Reply
  • Some yet unindetified tests produce output under the temp/ our output/ folders
    Some yet unindetified tests produce output under the temp/ our output/ folders

    Jan 14, 2022

    These test need to be identified and their output should be redirected to target/test-output

    Configuration files are the place to start looking.

    bug 
    Reply
  • ci: add test matrix randomization
    ci: add test matrix randomization

    Jan 15, 2022

    Matrix generation can be tested via ./node matrix.js

    Still need to ensure timezone and other JIT-related properties are passed to the test (e.g. when forking the processes)

    Reply
  • Idea for a Light Weight Edition
    Idea for a Light Weight Edition

    Jan 17, 2022

    Would it be possible to produce a reload4j-le (light-weight) edition that removes all appenders apart from the file and console appenders?

    This would be useful for reassuring security teams as whilst new appenders could be added by configuration and additional JARS/classes they don't exist "by default". Also for the resulting JAR should be smaller so slightly better for containers (containers usually only log to console anyway).

    Hopefully this can use the exact same code base but exclude classes with a new reload4j-le build file.

    This kind of ties into issue #5

    Reply
  • Investigate forks
    Investigate forks

    Jan 17, 2022

    There are forks that might be worth exploring and joining forces:

    • [x] ~https://github.com/Netflix/blitz4j~
    • [ ] TBD
    Reply
  • Fix CVE-2022-23305: use PreparedStatement in JDBCAppender when possible
    Fix CVE-2022-23305: use PreparedStatement in JDBCAppender when possible

    Jan 19, 2022

    By default, the appender would treat '....%..' as string literals, and it would use PreparedStatement.setString(..) for that.

    Old behavior can be restored via org.apache.log4j.jdbc.JDBCAppender.secure_jdbc_replacement=false.


    UPD: as JDBCAppender has been removed, the diff was looking as if I added the class from scratch. So I've split the PR in two commits: "revert JDBCAppender removal" and then "fix CVE". I believe it makes it easier to see what has changed to fix the CVE.

    Reply
  • Remove unused LF5 components
    Remove unused LF5 components

    Jan 19, 2022

    I don't ever recall questions or a bug report against LF5. It looks like dead weight.

    task 
    Reply
  • CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x
    CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x

    Jan 19, 2022

    Same fix as for JMSAppender

    CVE 
    Reply
  • xml external entity injection
    xml external entity injection

    Jan 24, 2022

    https://hdivsecurity.com/bornsecure/prevention-of-xml-external-entity-xxe-attacks/

    CVE 
    Reply
  • UtilLoggingLevelTest.testToLevelFINEST fails with tr_TR locale
    UtilLoggingLevelTest.testToLevelFINEST fails with tr_TR locale

    Jan 15, 2022

    See https://github.com/qos-ch/reload4j/runs/4826244581?check_suite_focus=true#step:6:1395

    Error:  Failures: 
    Error:    UtilLoggingLevelTest.testToLevelFINEST:42 expected same:<FINEST> was not:<DEBUG>
    
    Reply
  • Fix SocketServerTestCase test case on Linux
    Fix SocketServerTestCase test case on Linux

    Jan 13, 2022

    null

                                                                                                                                                                                                            bug 
    Reply
  • create a tag for the 1.2.18.0 version in git
    create a tag for the 1.2.18.0 version in git

    Jan 13, 2022

    Hannes Rosenögger on 2022-01-13: Currently, there is no way for people to know from which commit the 1.2.18.0 version has been created. I think it's important for people to be able to reproduce a build if they need to.

    bug 
    Reply
  • Rename 1.2.8.0 Milestone to 1.2.18.0
    Rename 1.2.8.0 Milestone to 1.2.18.0

    Jan 13, 2022

    To avoid confusion the milestone should be renamed to the correct version :)

    bug 
    Reply
  • CVE-2020-9488 - SMTPS connection to be intercepted by a man-in-the-middle attack
    CVE-2020-9488 - SMTPS connection to be intercepted by a man-in-the-middle attack

    Jan 19, 2022

    null

                                                                                                                                                                                                            CVE 
    Reply
  • Request for Clarity on the Future for Reload4J
    Request for Clarity on the Future for Reload4J

    Jan 17, 2022

    Thanks all for work in hardening this. I've been testing reload4j and it's very nice that it is a simple drop-in replacement - it works great.

    I note your statement that this is meant "to fix most pressing security issues. It is intended as a drop-in replacement for log4j version 1.2.17". I also read the comments about the Apache Software Foundation still considering log4j v1 as end of life. But I do note that SLF4J is now also supporting reload4J.

    With the recent log4jv2 issues the spot-light has been placed on all logging systems and our security team are not happy that slf4j v1 is end of life. If we go to the security team and recommend replacing our existing log4jv1 JARs with reload4j I know what they will ask next.

    Whilst I realise that, like most open-source, you probably do this in your spare time, would it be possible to clarify on the reload4j web site future plans. Is this still end-of-life, just a one shot replacement for log4jv1? Or will it now be a maintained (if needed) fork going forward - so no-longer end of life?

    I do realise this is "how long is a piece of string" question but just some clarity on the website would be very useful.

    Reply
  • OSGI bundle manifest file
    OSGI bundle manifest file

    Jan 24, 2022

    Would it be possible to generate a META-INF/MANIFEST.MF with OSGI bundle information for use in an OSGI environment? (log4j 1.2.17 has).

    Regards Olaf

    Reply