[jboss-jira] [JBoss JIRA] (WFCORE-482) Add log4j2 support for WildFly

Andrew Marlow (Jira) issues at jboss.org
Mon Dec 2 02:27:01 EST 2019 

    [ https://issues.jboss.org/browse/WFCORE-482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13819441#comment-13819441 ] 

Andrew Marlow commented on WFCORE-482:
--------------------------------------

In my previous comment I got it slightly wrong regarding my mention of CVEs. There is only one CVE and it is not even filed against log4j-v1. There is CVE-2017-5645 which is logged against log4j2. It is to do with the code that listens on the logger event port and deserialises without doing some sanity checking. Diffing between 2.8.1 and 2.8.2 I see how checking has now been added. The code is slightly different in v1 but it does still perform an unchecked deserialisation of a LoggerEvent object, so it does look vulnerable to me. There may be a new CVE raised for this at some point, even though log4j-v1 is end of life. I hope a new CVE is raised. The lack of a current CVE for log4j-v1 is causing some people to say that when they are alerted to CVE-2017-5645 it is a false flag. See https://github.com/jeremylong/DependencyCheck/issues/1138 for an example of this. I think that Red Hat has performed the same code analysis that I did and come to the same conclusion, which is why they patched JBoss (the proprietary version of Wildfly). So it might not be viewed as a false flag forever.

I've chased down the log4j-v1 dependency. It comes from jbossws-cxf-client. So I reckon that would have to be changed to use log4j2 before wildfly could be changed. I think a new ticket needs to be raised for jbossws-cxf-client.




> Add log4j2 support for WildFly
> ------------------------------
>
>                 Key: WFCORE-482
>                 URL: https://issues.jboss.org/browse/WFCORE-482
>             Project: WildFly Core
>          Issue Type: Task
>          Components: Logging
>         Environment: Spring 3, Hibernate, Wicket, JBoss AS7
>            Reporter: Amarkanth Ranganamayna
>            Assignee: James Perkins
>            Priority: Major
>
> I am trying to use Flume Appender which comes with Log4j2 (log4j 1.x doesn't support flume appender) (AND) inorder to acheive this, I am looking at how to configure JBoss AS7 to use log4j2.
> Looks like Jboss AS7 by default use log4j 1.x
> Are you guys already working on using log4j2 ?
> If NOT, can you please suggest how to configure Jboss AS7 such that it picks up "log4j2.xml" file and doesn't use its own logging.
> Thanks,
> Amar



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list