[jboss-jira] [JBoss JIRA] (WFCORE-482) Add log4j2 support for WildFly

[Andrew Marlow (Jira)]

    [ https://issues.jboss.org/browse/WFCORE-482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13818287#comment-13818287 ] 

Andrew Marlow commented on WFCORE-482:
--------------------------------------

I have just downloaded wildfly-18.0.1 and was very suprised to find that it still depends on the ancient log4j version 1. That version of log4j reached end of life on 5th Aug 2015. It contains several CVEs including serious XXE vulnerabilities. Hence any product that uses wildfly will be exposed to these CVEs via transitive dependencies. I was alerted to this via two mechanisms; firstly the owasp dependency checker (via the maven plugin); and second, via Black Duck. This places wildfly off-limits in my corporate environment, where there are rules against shipping software that contains transitive CVEs via open source products. Please consider adding direct support for log4j2 as soon as possible. Thank you.

> Add log4j2 support for WildFly
> ------------------------------
>
>                 Key: WFCORE-482
>                 URL: https://issues.jboss.org/browse/WFCORE-482
>             Project: WildFly Core
>          Issue Type: Task
>          Components: Logging
>         Environment: Spring 3, Hibernate, Wicket, JBoss AS7
>            Reporter: Amarkanth Ranganamayna
>            Assignee: James Perkins
>            Priority: Major
>
> I am trying to use Flume Appender which comes with Log4j2 (log4j 1.x doesn't support flume appender) (AND) inorder to acheive this, I am looking at how to configure JBoss AS7 to use log4j2.
> Looks like Jboss AS7 by default use log4j 1.x
> Are you guys already working on using log4j2 ?
> If NOT, can you please suggest how to configure Jboss AS7 such that it picks up "log4j2.xml" file and doesn't use its own logging.
> Thanks,
> Amar



--
This message was sent by Atlassian Jira
(v7.13.8#713008)