[ 
https://issues.apache.org/jira/browse/IGNITE-16650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Amelchev Nikita updated IGNITE-16650:
-------------------------------------
    Issue Type: Improvement  (was: Bug)

> Exclude ignite-log4j, log4j 1.2.17
> ----------------------------------
>
>                 Key: IGNITE-16650
>                 URL: https://issues.apache.org/jira/browse/IGNITE-16650
>             Project: Ignite
>          Issue Type: Improvement
>            Reporter: Sergei Ryzhov
>            Assignee: Mikhail Petrov
>            Priority: Major
>              Labels: important, ise
>             Fix For: 2.14
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> log4j 1.2.17 is not supported and contains critical vulnerabilities
> https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces
> I suggest excluding the ignite-log4j module from ignite
> Direct vulnerabilities:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571
> As a result of the mentioned migration, the following changes will be applied:
> 1. ignite-log4j.xml will be migrated to log4j2 format. Unfortunately after 
> the refactoring we will get two configuration ignite-log4j.xml and 
> ignite-log4j2.xml both in log4j2 format because ignite-log4j2.xml is in use 
> now and but provide log formatitng different from ignite-log4j.xml.
> 2. core/src/test/config/log4j-test.xml will not be migrated to log4j2 because 
> it is used with compatibility tests.
> 3. core/src/test/config/log4j2-test.xml is refactored to suite current log4j 
> format. The current  version of core/src/test/config/log4j2-test.xml  is 
> moved to the log4j2/src/test/config folder.
> 4. osgi-paxlogging will be removed because it's only meant to provide some 
> log4j dependencies. We have no need in them now.
> 5. Exception logging format will change slightly:
> Before:
> {code:java}
> class org.apache.ignite.IgniteException: Platform error:System.Exception: 
> EXCEPTION_TEST_Warn
>       at 
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449)
>       at 
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511)
>       at 
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575)
>       at 
> org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67)
> {code}
> After:
> {code:java}
> org.apache.ignite.IgniteException: Platform error:System.Exception: 
> EXCEPTION_TEST_Warn
>       at 
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449)
>       at 
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511)
>       at 
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575)
>       at 
> org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67)
> {code}
> As you can see, only the first word "class" is omitted.
> 6. All other files containing log4j configuration will be refactored to suite 
> log4j2 and will be renamed if previously their name allowed log4j to 
> automatically find them in the class path (e.g. log4j.xml -> log4j2.xml and 
> so on)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to