[I] [Security/Bug] Incompatibility with Log4j 2.25.x - NoClassDefFoundError for XSSFWorkbook due to StatusLogger initialization failure [poi]

Thu, 07 May 2026 14:51:49 -0700 


Voron29n opened a new issue, #1058:
URL: https://github.com/apache/poi/issues/1058

   
     Environment
   
     - Apache POI version: 5.5.1
     - Log4j version: 2.25.4
     - Java version: 21
     - OS: Windows 11
   
     Problem
   
     When using Apache POI 5.5.1 with Log4j 2.25.4, tests fail with 
NoClassDefFoundError for XSSFWorkbook. The root cause is a
     NullPointerException during Log4j's StatusLogger initialization.
   
     Background
   
     Log4j versions 2.21.0 through 2.25.3 have a security vulnerability 
(CVE-related to Rfc5424Layout CRLF injection). Users are
     advised to upgrade to Log4j 2.25.4 to address this issue. However, 
upgrading breaks Apache POI functionality.
   
     Error Message
   
     java.lang.NoClassDefFoundError: Could not initialize class 
org.apache.poi.xssf.usermodel.XSSFWorkbook
   
     Root Cause Stack Trace
   
     Caused by: java.lang.NullPointerException
         at 
org.apache.logging.log4j.status.StatusLogger.<init>(StatusLogger.java:534)
         at 
org.apache.logging.log4j.status.StatusLogger$InstanceHolder.<clinit>(StatusLogger.java:565)
         at 
org.apache.logging.log4j.status.StatusLogger.getLogger(StatusLogger.java:579)
         at org.apache.logging.log4j.LogManager.<clinit>(LogManager.java:93)
         at 
org.apache.logging.log4j.spi.AbstractLoggerAdapter.getContext(AbstractLoggerAdapter.java:122)
         at 
org.apache.logging.log4j.jul.AbstractLoggerAdapter.getContext(AbstractLoggerAdapter.java:34)
         at 
org.apache.logging.log4j.spi.AbstractLoggerAdapter.getLogger(AbstractLoggerAdapter.java:46)
         at 
org.apache.logging.log4j.jul.LogManager.getLogger(LogManager.java:89)
         at org.apache.poi.logging.POILogger.<init>(POILogger.java:35)
         ...
   
     Expected Behavior
   
     Apache POI should work with Log4j 2.25.4, especially since users need to 
upgrade to address security vulnerabilities in earlier
     versions.
   
     Workaround
   
     Currently, the only workaround is to use Log4j 2.24.3 or earlier, which 
leaves the security vulnerability unpatched.
   
     Request
   
     Please update Apache POI's logging compatibility to work with Log4j 
2.25.x, or provide guidance on how to configure POI to work
     with the latest secure Log4j version.
   
     Related
   
     - POI uses log4j-bom:2.24.3 in its build
     - Log4j 2.25.x introduced breaking changes in StatusLogger initialization


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to