[
https://issues.apache.org/jira/browse/IGNITE-16650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mikhail Petrov updated IGNITE-16650:
------------------------------------
Description:
log4j 1.2.17 is not supported and contains critical vulnerabilities
https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces
I suggest excluding the ignite-log4j module from ignite
Direct vulnerabilities:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571
As a result of the mentioned migration, the following changes will be applied:
1. ignite-log4j.xml will be migrated to log4j2 format. Unfortunately after the
refactoring we will get two configuration ignite-log4j.xml and
ignite-log4j2.xml both in log4j2 format because the main goal of this
refactoring is to keep current log formatting that is used with log4j intact.
Currently ignite-log4j.xml and ignite-log4j2.xml provides different log formats
for log4j and log4j2 respectively.
2. core/src/test/config/log4j-test.xml will not be migrated to log4j2 because
it is used with compatibility tests.
3. core/src/test/config/log4j2-test.xml is refactored to suite current log4j
format. The current version of core/src/test/config/log4j2-test.xml is moved
to the log4j2/src/test/config folder.
4. osgi-paxlogging will be removed because it's only meant to provide some
log4j dependencies. We have no need in them now.
5. Exception logging format will change slightly:
Before:
{code:java}
class org.apache.ignite.IgniteException: Platform error:System.Exception:
EXCEPTION_TEST_Warn
at
org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449)
at
org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511)
at
org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575)
at
org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67)
{code}
After:
{code:java}
org.apache.ignite.IgniteException: Platform error:System.Exception:
EXCEPTION_TEST_Warn
at
org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449)
at
org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511)
at
org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575)
at
org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67)
{code}
As you can see, only the first word "class" is omitted.
6. All other files containing log4j configuration will be refactored to suite
log4j2 and will be renamed if previously their name allowed log4j to
automatically find them in the class path (e.g. log4j.xml -> log4j2.xml and so
on)
was:
log4j 1.2.17 is not supported and contains critical vulnerabilities
https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces
I suggest excluding the ignite-log4j module from ignite
Direct vulnerabilities:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571
As a result of the mentioned migration, the following changes will be applied:
1. ignite-log4j.xml will be migrated to log4j2 format. Unfortunately after the
refactoring we will get two configuration ignite-log4j.xml and
ignite-log4j2.xml both in log4j2 format because the main goal of this
refactoring is to keep current log formatting that is used with log4j intact.
Currently ignite-log4j.xml and ignite-log4j2.xml provides different log formats
for log4j and log4j2 respectively.
2. core/src/test/config/log4j-test.xml will not be migrated to log4j2 because
it is used in compatibility tests.
3. core/src/test/config/log4j2-test.xml is refactored to suite current log4j
format. The current version of core/src/test/config/log4j2-test.xml is moved
to the log4j2/src/test/config folder/
4. osgi-paxlogging will be removed because it's only meant to provide some
log4j dependencies.
5. Exception logging format will change slightly:
Before:
{code:java}
class org.apache.ignite.IgniteException: Platform error:System.Exception:
EXCEPTION_TEST_Warn
at
org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449)
at
org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511)
at
org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575)
at
org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67)
{code}
After:
{code:java}
org.apache.ignite.IgniteException: Platform error:System.Exception:
EXCEPTION_TEST_Warn
at
org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449)
at
org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511)
at
org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575)
at
org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67)
{code}
As we see - only the first "class" word is omitted.
6. All other files containing log4j configuration will be refactored to suite
log4j2 and will be renamed if previously their name allowed log4j to
automatically find them in the class path (e.g. log4j.xml -> log4j2.xml and so
on)
> Exclude ignite-log4j, log4j 1.2.17
> ----------------------------------
>
> Key: IGNITE-16650
> URL: https://issues.apache.org/jira/browse/IGNITE-16650
> Project: Ignite
> Issue Type: Bug
> Reporter: Sergei Ryzhov
> Assignee: Mikhail Petrov
> Priority: Major
> Labels: ise
> Time Spent: 20m
> Remaining Estimate: 0h
>
> log4j 1.2.17 is not supported and contains critical vulnerabilities
> https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces
> I suggest excluding the ignite-log4j module from ignite
> Direct vulnerabilities:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571
> As a result of the mentioned migration, the following changes will be applied:
> 1. ignite-log4j.xml will be migrated to log4j2 format. Unfortunately after
> the refactoring we will get two configuration ignite-log4j.xml and
> ignite-log4j2.xml both in log4j2 format because the main goal of this
> refactoring is to keep current log formatting that is used with log4j intact.
> Currently ignite-log4j.xml and ignite-log4j2.xml provides different log
> formats for log4j and log4j2 respectively.
> 2. core/src/test/config/log4j-test.xml will not be migrated to log4j2 because
> it is used with compatibility tests.
> 3. core/src/test/config/log4j2-test.xml is refactored to suite current log4j
> format. The current version of core/src/test/config/log4j2-test.xml is
> moved to the log4j2/src/test/config folder.
> 4. osgi-paxlogging will be removed because it's only meant to provide some
> log4j dependencies. We have no need in them now.
> 5. Exception logging format will change slightly:
> Before:
> {code:java}
> class org.apache.ignite.IgniteException: Platform error:System.Exception:
> EXCEPTION_TEST_Warn
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449)
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511)
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575)
> at
> org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67)
> {code}
> After:
> {code:java}
> org.apache.ignite.IgniteException: Platform error:System.Exception:
> EXCEPTION_TEST_Warn
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449)
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511)
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575)
> at
> org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67)
> {code}
> As you can see, only the first word "class" is omitted.
> 6. All other files containing log4j configuration will be refactored to suite
> log4j2 and will be renamed if previously their name allowed log4j to
> automatically find them in the class path (e.g. log4j.xml -> log4j2.xml and
> so on)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
