maven: migrate short-term to reload4j v1.2.18#5878
maven: migrate short-term to reload4j v1.2.18#5878sureshanaparti merged 4 commits intoapache:4.16from
Conversation
This migrate to log4j 1.x fork, reload4j 1.2.18.0 which is drop-in replacement and addresses some immediate CVE and issues. Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
|
@blueorangutan package |
|
@rohityadavcloud a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
yadvr
requested review from
DaanHoogland,
borisstoyanov,
nvazquez,
sureshanaparti and
vladimirpetrov
|
Tested locally, the build works - pl help review, advise on the PR cc @DaanHoogland @borisstoyanov @vladimirpetrov @sureshanaparti @nvazquez @weizhouapache @shwstppr @mlsorensen |
|
nice ! |
|
Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✔️ suse15. SL-JID 2396 |
| <dependency> | ||
| <groupId>log4j</groupId> | ||
| <artifactId>log4j</artifactId> | ||
| <version>${cs.log4j.version}</version> |
There was a problem hiding this comment.
do we (still) need the version here?
There was a problem hiding this comment.
Not sure, did n't want to refactor/experiment; so I've left all build config as is just replaced log4j with reload4j.
| <dependency> | ||
| <groupId>log4j</groupId> | ||
| <artifactId>log4j</artifactId> | ||
| <version>${cs.log4j.version}</version> |
There was a problem hiding this comment.
do we (still) need the version here?
|
@blueorangutan test |
|
@rohityadavcloud a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
|
Trillian Build Failed (tid-3147) |
|
Trillian Build Failed (tid-3153) |
|
Trillian test result (tid-3146)
|
|
Trillian test result (tid-3148)
|
|
@rohityadavcloud - just looked at the dependency tree with this change. Do we need to move to slf4j 1.7.35? See https://www.slf4j.org/news.html
I'm also seeing esapi pulling in log4j 1.2.17, and contrail plugin pulling in log4j 1.2.16. |
Co-authored-by: Marcus Sorensen <mls@apple.com>
|
Thanks for the review @mlsorensen and the exclusion fix. I'll kick some tests. |
|
@blueorangutan package |
|
@rohityadavcloud a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✔️ suse15. SL-JID 2466 |
|
@blueorangutan test matrix |
|
@sureshanaparti a Trillian-Jenkins matrix job (centos7 mgmt + xs71, centos7 mgmt + vmware65, centos7 mgmt + kvmcentos7) has been kicked to run smoke tests |
|
Trillian test result (tid-3174)
|
|
Trillian test result (tid-3173)
|
|
Trillian test result (tid-3175)
|
|
cc @Pearl1594 are the k8s failures intermittent? |
|
@rohityadavcloud a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✖️ suse15. SL-JID 2482 |
|
@blueorangutan test centos7 vmware-67u3 |
Based on the logs it seems to be due to : |
|
@Pearl1594 a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✔️ suse15. SL-JID 2489 |
|
Trillian test result (tid-3207)
|
borisstoyanov
left a comment
borisstoyanov
left a comment
There was a problem hiding this comment.
LGTM, managed to build/deploy this and run it with RockyLinux8(CentOS8 eq), centos7, ubuntu20, centos7-ev. There were no exceptions related to logging in management and agent logs.
8 participants
This migrate to log4j 1.x fork, reload4j 1.2.18.0 which is drop-in
replacement and addresses some immediate CVE and issues.
This will require some manual test of logging, as well as smoketests.
Fixes: (from https://reload4j.qos.ch/)
Standardize and sanitize the build - fixed in 1.2.18.0
CVE-2021-4104 (JMSAppender) - fixed in 1.2.18.0 by hardening
CVE-2022-23302 (JMSSink) - fixed in 1.2.18.1 by hardening
CVE-2019-17571 (SocketServer) - fixed in 1.2.18.0 by hardening
CVE-2020-9493 and CVE-2022-23307 (Chainsaw) - fixed in 1.2.18.1 by hardening
CVE-2022-23305 (JDBCAppender) - fixed in 1.2.18.2 by hardening the component.
broken MDC in newer JDKs - fixed in 1.2.18.0
XML entity injection attack - fixed in 1.2.18.3 by hardening
CVE-2020-9488 (SMTPAppender) fixed in 1.2.18.3 by hardening