[jira] [Commented] (IGNITE-16650) Exclude ignite-log4j, log4j 1.2.17
[ https://issues.apache.org/jira/browse/IGNITE-16650?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17570012#comment-17570012 ] Mikhail Petrov commented on IGNITE-16650: - [~namelchev] Thanks a lot for the review! > Exclude ignite-log4j, log4j 1.2.17 > -- > > Key: IGNITE-16650 > URL: https://issues.apache.org/jira/browse/IGNITE-16650 > Project: Ignite > Issue Type: Improvement >Reporter: Sergei Ryzhov >Assignee: Mikhail Petrov >Priority: Major > Labels: important, ise > Fix For: 2.14 > > Time Spent: 40m > Remaining Estimate: 0h > > log4j 1.2.17 is not supported and contains critical vulnerabilities > https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces > I suggest excluding the ignite-log4j module from ignite > Direct vulnerabilities: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 > As a result of the mentioned migration, the following changes will be applied: > 1. ignite-log4j.xml will be migrated to log4j2 format. Unfortunately after > the refactoring we will get two configuration ignite-log4j.xml and > ignite-log4j2.xml both in log4j2 format because ignite-log4j2.xml is in use > now and but provide log formatitng different from ignite-log4j.xml. > 2. core/src/test/config/log4j-test.xml will not be migrated to log4j2 because > it is used with compatibility tests. > 3. core/src/test/config/log4j2-test.xml is refactored to suite current log4j > format. The current version of core/src/test/config/log4j2-test.xml is > moved to the log4j2/src/test/config folder. > 4. osgi-paxlogging will be removed because it's only meant to provide some > log4j dependencies. We have no need in them now. > 5. Exception logging format will change slightly: > Before: > {code:java} > class org.apache.ignite.IgniteException: Platform error:System.Exception: > EXCEPTION_TEST_Warn > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) > at > org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67) > {code} > After: > {code:java} > org.apache.ignite.IgniteException: Platform error:System.Exception: > EXCEPTION_TEST_Warn > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) > at > org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67) > {code} > As you can see, only the first word "class" is omitted. > 6. All other files containing log4j configuration will be refactored to suite > log4j2 and will be renamed if previously their name allowed log4j to > automatically find them in the class path (e.g. log4j.xml -> log4j2.xml and > so on) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (IGNITE-16650) Exclude ignite-log4j, log4j 1.2.17
[ https://issues.apache.org/jira/browse/IGNITE-16650?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17569348#comment-17569348 ] Amelchev Nikita commented on IGNITE-16650: -- Merged into the master. [~RyzhovSV], thank you for the initial contribution! [~PetrovMikhail], thank you for the contribution! > Exclude ignite-log4j, log4j 1.2.17 > -- > > Key: IGNITE-16650 > URL: https://issues.apache.org/jira/browse/IGNITE-16650 > Project: Ignite > Issue Type: Improvement >Reporter: Sergei Ryzhov >Assignee: Mikhail Petrov >Priority: Major > Labels: important, ise > Fix For: 2.14 > > Time Spent: 40m > Remaining Estimate: 0h > > log4j 1.2.17 is not supported and contains critical vulnerabilities > https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces > I suggest excluding the ignite-log4j module from ignite > Direct vulnerabilities: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 > As a result of the mentioned migration, the following changes will be applied: > 1. ignite-log4j.xml will be migrated to log4j2 format. Unfortunately after > the refactoring we will get two configuration ignite-log4j.xml and > ignite-log4j2.xml both in log4j2 format because ignite-log4j2.xml is in use > now and but provide log formatitng different from ignite-log4j.xml. > 2. core/src/test/config/log4j-test.xml will not be migrated to log4j2 because > it is used with compatibility tests. > 3. core/src/test/config/log4j2-test.xml is refactored to suite current log4j > format. The current version of core/src/test/config/log4j2-test.xml is > moved to the log4j2/src/test/config folder. > 4. osgi-paxlogging will be removed because it's only meant to provide some > log4j dependencies. We have no need in them now. > 5. Exception logging format will change slightly: > Before: > {code:java} > class org.apache.ignite.IgniteException: Platform error:System.Exception: > EXCEPTION_TEST_Warn > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) > at > org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67) > {code} > After: > {code:java} > org.apache.ignite.IgniteException: Platform error:System.Exception: > EXCEPTION_TEST_Warn > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) > at > org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67) > {code} > As you can see, only the first word "class" is omitted. > 6. All other files containing log4j configuration will be refactored to suite > log4j2 and will be renamed if previously their name allowed log4j to > automatically find them in the class path (e.g. log4j.xml -> log4j2.xml and > so on) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (IGNITE-16650) Exclude ignite-log4j, log4j 1.2.17
[ https://issues.apache.org/jira/browse/IGNITE-16650?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17569058#comment-17569058 ] Ignite TC Bot commented on IGNITE-16650: {panel:title=Branch: [pull/10152/head] Base: [master] : No blockers found!|borderStyle=dashed|borderColor=#ccc|titleBGColor=#D6F7C1}{panel} {panel:title=Branch: [pull/10152/head] Base: [master] : No new tests found!|borderStyle=dashed|borderColor=#ccc|titleBGColor=#F7D6C1}{panel} [TeamCity *-- Run :: All* Results|https://ci.ignite.apache.org/viewLog.html?buildId=6688631buildTypeId=IgniteTests24Java8_RunAll] > Exclude ignite-log4j, log4j 1.2.17 > -- > > Key: IGNITE-16650 > URL: https://issues.apache.org/jira/browse/IGNITE-16650 > Project: Ignite > Issue Type: Bug >Reporter: Sergei Ryzhov >Assignee: Mikhail Petrov >Priority: Major > Labels: ise > Time Spent: 0.5h > Remaining Estimate: 0h > > log4j 1.2.17 is not supported and contains critical vulnerabilities > https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces > I suggest excluding the ignite-log4j module from ignite > Direct vulnerabilities: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 > As a result of the mentioned migration, the following changes will be applied: > 1. ignite-log4j.xml will be migrated to log4j2 format. Unfortunately after > the refactoring we will get two configuration ignite-log4j.xml and > ignite-log4j2.xml both in log4j2 format because ignite-log4j2.xml is in use > now and but provide log formatitng different from ignite-log4j.xml. > 2. core/src/test/config/log4j-test.xml will not be migrated to log4j2 because > it is used with compatibility tests. > 3. core/src/test/config/log4j2-test.xml is refactored to suite current log4j > format. The current version of core/src/test/config/log4j2-test.xml is > moved to the log4j2/src/test/config folder. > 4. osgi-paxlogging will be removed because it's only meant to provide some > log4j dependencies. We have no need in them now. > 5. Exception logging format will change slightly: > Before: > {code:java} > class org.apache.ignite.IgniteException: Platform error:System.Exception: > EXCEPTION_TEST_Warn > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) > at > org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67) > {code} > After: > {code:java} > org.apache.ignite.IgniteException: Platform error:System.Exception: > EXCEPTION_TEST_Warn > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) > at > org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67) > {code} > As you can see, only the first word "class" is omitted. > 6. All other files containing log4j configuration will be refactored to suite > log4j2 and will be renamed if previously their name allowed log4j to > automatically find them in the class path (e.g. log4j.xml -> log4j2.xml and > so on) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (IGNITE-16650) Exclude ignite-log4j, log4j 1.2.17
[ https://issues.apache.org/jira/browse/IGNITE-16650?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17543944#comment-17543944 ] Maxim Muzafarov commented on IGNITE-16650: -- During the migration to the log4j2 we can also highlingh the logs: log4j2 - %highlight{%d [%t] %-5level: %msg%n%throwable}{FATAL=white, ERROR=red, WARN=blue, INFO=black, DEBUG=green, TRACE=blue} > Exclude ignite-log4j, log4j 1.2.17 > -- > > Key: IGNITE-16650 > URL: https://issues.apache.org/jira/browse/IGNITE-16650 > Project: Ignite > Issue Type: Bug >Reporter: Sergei Ryzhov >Assignee: Sergei Ryzhov >Priority: Major > Labels: ise > Time Spent: 10m > Remaining Estimate: 0h > > log4j 1.2.17 is not supported and contains critical vulnerabilities > https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces > I suggest excluding the ignite-log4j module from ignite > Direct vulnerabilities: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 -- This message was sent by Atlassian Jira (v8.20.7#820007)