[
https://issues.apache.org/jira/browse/LOG4J2-3232?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Matt Sicker updated LOG4J2-3232:
--------------------------------
Epic Link: LOG4J2-2226
> Log4j 3.0 - Better Java SE modules dependency
> ---------------------------------------------
>
> Key: LOG4J2-3232
> URL: https://issues.apache.org/jira/browse/LOG4J2-3232
> Project: Log4j 2
> Issue Type: New Feature
> Components: Core
> Affects Versions: 2.16.0
> Reporter: Bruno Borges
> Priority: Major
>
> Due to its legacy pre-Java 9 JPMS era, Log4j 2 Core currently has strong
> dependencies to 'java.desktop' and 'java.management' modules. Log4j 2 Core
> breaks and does not work properly without these two modules.
> Module 'java.naming' is referenced but optional for proper runtime operation.
> The RCE vulnerability reported in December 2021 towards Log4j 2.x can be
> mitigated in any Java 9+ version as long the runtime had been assembled with
> jlink and excluding 'java.naming' module.
> As Log4j is reimagined for a 3.0 major new release, it would be recommended
> to have a Core module that relies solely on 'java.base' and 'java.logging',
> while separating/publishing different functionalities as separate
> artifacts/modules, so users can consume them on-demand.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
