[jira] [Commented] (IGNITE-16650) Exclude ignite-log4j, log4j 1.2.17
[
https://issues.apache.org/jira/browse/IGNITE-16650?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17570012#comment-17570012
]
Mikhail Petrov commented on IGNITE-16650:
-
[~namelchev] Thanks a lot for the review!
> Exclude ignite-log4j, log4j 1.2.17
> --
>
> Key: IGNITE-16650
> URL: https://issues.apache.org/jira/browse/IGNITE-16650
> Project: Ignite
> Issue Type: Improvement
>Reporter: Sergei Ryzhov
>Assignee: Mikhail Petrov
>Priority: Major
> Labels: important, ise
> Fix For: 2.14
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> log4j 1.2.17 is not supported and contains critical vulnerabilities
> https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces
> I suggest excluding the ignite-log4j module from ignite
> Direct vulnerabilities:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571
> As a result of the mentioned migration, the following changes will be applied:
> 1. ignite-log4j.xml will be migrated to log4j2 format. Unfortunately after
> the refactoring we will get two configuration ignite-log4j.xml and
> ignite-log4j2.xml both in log4j2 format because ignite-log4j2.xml is in use
> now and but provide log formatitng different from ignite-log4j.xml.
> 2. core/src/test/config/log4j-test.xml will not be migrated to log4j2 because
> it is used with compatibility tests.
> 3. core/src/test/config/log4j2-test.xml is refactored to suite current log4j
> format. The current version of core/src/test/config/log4j2-test.xml is
> moved to the log4j2/src/test/config folder.
> 4. osgi-paxlogging will be removed because it's only meant to provide some
> log4j dependencies. We have no need in them now.
> 5. Exception logging format will change slightly:
> Before:
> {code:java}
> class org.apache.ignite.IgniteException: Platform error:System.Exception:
> EXCEPTION_TEST_Warn
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449)
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511)
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575)
> at
> org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67)
> {code}
> After:
> {code:java}
> org.apache.ignite.IgniteException: Platform error:System.Exception:
> EXCEPTION_TEST_Warn
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449)
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511)
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575)
> at
> org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67)
> {code}
> As you can see, only the first word "class" is omitted.
> 6. All other files containing log4j configuration will be refactored to suite
> log4j2 and will be renamed if previously their name allowed log4j to
> automatically find them in the class path (e.g. log4j.xml -> log4j2.xml and
> so on)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (IGNITE-16650) Exclude ignite-log4j, log4j 1.2.17
[
https://issues.apache.org/jira/browse/IGNITE-16650?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17569348#comment-17569348
]
Amelchev Nikita commented on IGNITE-16650:
--
Merged into the master.
[~RyzhovSV], thank you for the initial contribution!
[~PetrovMikhail], thank you for the contribution!
> Exclude ignite-log4j, log4j 1.2.17
> --
>
> Key: IGNITE-16650
> URL: https://issues.apache.org/jira/browse/IGNITE-16650
> Project: Ignite
> Issue Type: Improvement
>Reporter: Sergei Ryzhov
>Assignee: Mikhail Petrov
>Priority: Major
> Labels: important, ise
> Fix For: 2.14
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> log4j 1.2.17 is not supported and contains critical vulnerabilities
> https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces
> I suggest excluding the ignite-log4j module from ignite
> Direct vulnerabilities:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571
> As a result of the mentioned migration, the following changes will be applied:
> 1. ignite-log4j.xml will be migrated to log4j2 format. Unfortunately after
> the refactoring we will get two configuration ignite-log4j.xml and
> ignite-log4j2.xml both in log4j2 format because ignite-log4j2.xml is in use
> now and but provide log formatitng different from ignite-log4j.xml.
> 2. core/src/test/config/log4j-test.xml will not be migrated to log4j2 because
> it is used with compatibility tests.
> 3. core/src/test/config/log4j2-test.xml is refactored to suite current log4j
> format. The current version of core/src/test/config/log4j2-test.xml is
> moved to the log4j2/src/test/config folder.
> 4. osgi-paxlogging will be removed because it's only meant to provide some
> log4j dependencies. We have no need in them now.
> 5. Exception logging format will change slightly:
> Before:
> {code:java}
> class org.apache.ignite.IgniteException: Platform error:System.Exception:
> EXCEPTION_TEST_Warn
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449)
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511)
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575)
> at
> org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67)
> {code}
> After:
> {code:java}
> org.apache.ignite.IgniteException: Platform error:System.Exception:
> EXCEPTION_TEST_Warn
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449)
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511)
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575)
> at
> org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67)
> {code}
> As you can see, only the first word "class" is omitted.
> 6. All other files containing log4j configuration will be refactored to suite
> log4j2 and will be renamed if previously their name allowed log4j to
> automatically find them in the class path (e.g. log4j.xml -> log4j2.xml and
> so on)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (IGNITE-16650) Exclude ignite-log4j, log4j 1.2.17
[
https://issues.apache.org/jira/browse/IGNITE-16650?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17569058#comment-17569058
]
Ignite TC Bot commented on IGNITE-16650:
{panel:title=Branch: [pull/10152/head] Base: [master] : No blockers
found!|borderStyle=dashed|borderColor=#ccc|titleBGColor=#D6F7C1}{panel}
{panel:title=Branch: [pull/10152/head] Base: [master] : No new tests
found!|borderStyle=dashed|borderColor=#ccc|titleBGColor=#F7D6C1}{panel}
[TeamCity *-- Run :: All*
Results|https://ci.ignite.apache.org/viewLog.html?buildId=6688631buildTypeId=IgniteTests24Java8_RunAll]
> Exclude ignite-log4j, log4j 1.2.17
> --
>
> Key: IGNITE-16650
> URL: https://issues.apache.org/jira/browse/IGNITE-16650
> Project: Ignite
> Issue Type: Bug
>Reporter: Sergei Ryzhov
>Assignee: Mikhail Petrov
>Priority: Major
> Labels: ise
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> log4j 1.2.17 is not supported and contains critical vulnerabilities
> https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces
> I suggest excluding the ignite-log4j module from ignite
> Direct vulnerabilities:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571
> As a result of the mentioned migration, the following changes will be applied:
> 1. ignite-log4j.xml will be migrated to log4j2 format. Unfortunately after
> the refactoring we will get two configuration ignite-log4j.xml and
> ignite-log4j2.xml both in log4j2 format because ignite-log4j2.xml is in use
> now and but provide log formatitng different from ignite-log4j.xml.
> 2. core/src/test/config/log4j-test.xml will not be migrated to log4j2 because
> it is used with compatibility tests.
> 3. core/src/test/config/log4j2-test.xml is refactored to suite current log4j
> format. The current version of core/src/test/config/log4j2-test.xml is
> moved to the log4j2/src/test/config folder.
> 4. osgi-paxlogging will be removed because it's only meant to provide some
> log4j dependencies. We have no need in them now.
> 5. Exception logging format will change slightly:
> Before:
> {code:java}
> class org.apache.ignite.IgniteException: Platform error:System.Exception:
> EXCEPTION_TEST_Warn
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449)
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511)
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575)
> at
> org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67)
> {code}
> After:
> {code:java}
> org.apache.ignite.IgniteException: Platform error:System.Exception:
> EXCEPTION_TEST_Warn
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449)
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511)
> at
> org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575)
> at
> org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67)
> {code}
> As you can see, only the first word "class" is omitted.
> 6. All other files containing log4j configuration will be refactored to suite
> log4j2 and will be renamed if previously their name allowed log4j to
> automatically find them in the class path (e.g. log4j.xml -> log4j2.xml and
> so on)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (IGNITE-16650) Exclude ignite-log4j, log4j 1.2.17
[
https://issues.apache.org/jira/browse/IGNITE-16650?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17543944#comment-17543944
]
Maxim Muzafarov commented on IGNITE-16650:
--
During the migration to the log4j2 we can also highlingh the logs:
log4j2 - %highlight{%d [%t] %-5level: %msg%n%throwable}{FATAL=white, ERROR=red,
WARN=blue, INFO=black, DEBUG=green, TRACE=blue}
> Exclude ignite-log4j, log4j 1.2.17
> --
>
> Key: IGNITE-16650
> URL: https://issues.apache.org/jira/browse/IGNITE-16650
> Project: Ignite
> Issue Type: Bug
>Reporter: Sergei Ryzhov
>Assignee: Sergei Ryzhov
>Priority: Major
> Labels: ise
> Time Spent: 10m
> Remaining Estimate: 0h
>
> log4j 1.2.17 is not supported and contains critical vulnerabilities
> https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces
> I suggest excluding the ignite-log4j module from ignite
> Direct vulnerabilities:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
