[jira] [Updated] (IGNITE-16650) Exclude ignite-log4j, log4j 1.2.17
[ https://issues.apache.org/jira/browse/IGNITE-16650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mikhail Petrov updated IGNITE-16650: Description: log4j 1.2.17 is not supported and contains critical vulnerabilities https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces I suggest excluding the ignite-log4j module from ignite Direct vulnerabilities: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 As a result of the mentioned migration, the following changes will be applied: 1. ignite-log4j.xml will be migrated to log4j2 format. 2. core/src/test/config/log4j-test.xml will not be migrated to log4j2 because it is used with compatibility tests. 3. core/src/test/config/log4j2-test.xml is refactored to suite current log4j format. The current version of core/src/test/config/log4j2-test.xml is moved to the log4j2/src/test/config folder. 4. osgi-paxlogging will be removed because it's only meant to provide some log4j dependencies. We have no need in them now. 5. Exception logging format will change slightly: Before: {code:java} class org.apache.ignite.IgniteException: Platform error:System.Exception: EXCEPTION_TEST_Warn at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) at org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67) {code} After: {code:java} org.apache.ignite.IgniteException: Platform error:System.Exception: EXCEPTION_TEST_Warn at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) at org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67) {code} As you can see, only the first word "class" is omitted. 6. All other files containing log4j configuration will be refactored to suite log4j2 and will be renamed if previously their name allowed log4j to automatically find them in the class path (e.g. log4j.xml -> log4j2.xml and so on) was: log4j 1.2.17 is not supported and contains critical vulnerabilities https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces I suggest excluding the ignite-log4j module from ignite Direct vulnerabilities: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 As a result of the mentioned migration, the following changes will be applied: 1. ignite-log4j.xml will be migrated to log4j2 format. Unfortunately after the refactoring we will get two configuration ignite-log4j.xml and ignite-log4j2.xml both in log4j2 format because ignite-log4j2.xml is in use now and but provide log formatitng different from ignite-log4j.xml. 2. core/src/test/config/log4j-test.xml will not be migrated to log4j2 because it is used with compatibility tests. 3. core/src/test/config/log4j2-test.xml is refactored to suite current log4j format. The current version of core/src/test/config/log4j2-test.xml is moved to the log4j2/src/test/config folder. 4. osgi-paxlogging will be removed because it's only meant to provide some log4j dependencies. We have no need in them now. 5. Exception logging format will change slightly: Before: {code:java} class org.apache.ignite.IgniteException: Platform error:System.Exception: EXCEPTION_TEST_Warn at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) at org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67) {code} After: {code:java} org.apache.ignite.IgniteException: Platform error:System.Exception: EXCEPT
[jira] [Updated] (IGNITE-16650) Exclude ignite-log4j, log4j 1.2.17
[ https://issues.apache.org/jira/browse/IGNITE-16650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Amelchev Nikita updated IGNITE-16650: - Labels: important ise (was: ise) > Exclude ignite-log4j, log4j 1.2.17 > -- > > Key: IGNITE-16650 > URL: https://issues.apache.org/jira/browse/IGNITE-16650 > Project: Ignite > Issue Type: Bug >Reporter: Sergei Ryzhov >Assignee: Mikhail Petrov >Priority: Major > Labels: important, ise > Fix For: 2.14 > > Time Spent: 0.5h > Remaining Estimate: 0h > > log4j 1.2.17 is not supported and contains critical vulnerabilities > https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces > I suggest excluding the ignite-log4j module from ignite > Direct vulnerabilities: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 > As a result of the mentioned migration, the following changes will be applied: > 1. ignite-log4j.xml will be migrated to log4j2 format. Unfortunately after > the refactoring we will get two configuration ignite-log4j.xml and > ignite-log4j2.xml both in log4j2 format because ignite-log4j2.xml is in use > now and but provide log formatitng different from ignite-log4j.xml. > 2. core/src/test/config/log4j-test.xml will not be migrated to log4j2 because > it is used with compatibility tests. > 3. core/src/test/config/log4j2-test.xml is refactored to suite current log4j > format. The current version of core/src/test/config/log4j2-test.xml is > moved to the log4j2/src/test/config folder. > 4. osgi-paxlogging will be removed because it's only meant to provide some > log4j dependencies. We have no need in them now. > 5. Exception logging format will change slightly: > Before: > {code:java} > class org.apache.ignite.IgniteException: Platform error:System.Exception: > EXCEPTION_TEST_Warn > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) > at > org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67) > {code} > After: > {code:java} > org.apache.ignite.IgniteException: Platform error:System.Exception: > EXCEPTION_TEST_Warn > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) > at > org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67) > {code} > As you can see, only the first word "class" is omitted. > 6. All other files containing log4j configuration will be refactored to suite > log4j2 and will be renamed if previously their name allowed log4j to > automatically find them in the class path (e.g. log4j.xml -> log4j2.xml and > so on) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (IGNITE-16650) Exclude ignite-log4j, log4j 1.2.17
[ https://issues.apache.org/jira/browse/IGNITE-16650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Amelchev Nikita updated IGNITE-16650: - Issue Type: Improvement (was: Bug) > Exclude ignite-log4j, log4j 1.2.17 > -- > > Key: IGNITE-16650 > URL: https://issues.apache.org/jira/browse/IGNITE-16650 > Project: Ignite > Issue Type: Improvement >Reporter: Sergei Ryzhov >Assignee: Mikhail Petrov >Priority: Major > Labels: important, ise > Fix For: 2.14 > > Time Spent: 0.5h > Remaining Estimate: 0h > > log4j 1.2.17 is not supported and contains critical vulnerabilities > https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces > I suggest excluding the ignite-log4j module from ignite > Direct vulnerabilities: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 > As a result of the mentioned migration, the following changes will be applied: > 1. ignite-log4j.xml will be migrated to log4j2 format. Unfortunately after > the refactoring we will get two configuration ignite-log4j.xml and > ignite-log4j2.xml both in log4j2 format because ignite-log4j2.xml is in use > now and but provide log formatitng different from ignite-log4j.xml. > 2. core/src/test/config/log4j-test.xml will not be migrated to log4j2 because > it is used with compatibility tests. > 3. core/src/test/config/log4j2-test.xml is refactored to suite current log4j > format. The current version of core/src/test/config/log4j2-test.xml is > moved to the log4j2/src/test/config folder. > 4. osgi-paxlogging will be removed because it's only meant to provide some > log4j dependencies. We have no need in them now. > 5. Exception logging format will change slightly: > Before: > {code:java} > class org.apache.ignite.IgniteException: Platform error:System.Exception: > EXCEPTION_TEST_Warn > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) > at > org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67) > {code} > After: > {code:java} > org.apache.ignite.IgniteException: Platform error:System.Exception: > EXCEPTION_TEST_Warn > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) > at > org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67) > {code} > As you can see, only the first word "class" is omitted. > 6. All other files containing log4j configuration will be refactored to suite > log4j2 and will be renamed if previously their name allowed log4j to > automatically find them in the class path (e.g. log4j.xml -> log4j2.xml and > so on) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (IGNITE-16650) Exclude ignite-log4j, log4j 1.2.17
[ https://issues.apache.org/jira/browse/IGNITE-16650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Amelchev Nikita updated IGNITE-16650: - Fix Version/s: 2.14 > Exclude ignite-log4j, log4j 1.2.17 > -- > > Key: IGNITE-16650 > URL: https://issues.apache.org/jira/browse/IGNITE-16650 > Project: Ignite > Issue Type: Bug >Reporter: Sergei Ryzhov >Assignee: Mikhail Petrov >Priority: Major > Labels: ise > Fix For: 2.14 > > Time Spent: 0.5h > Remaining Estimate: 0h > > log4j 1.2.17 is not supported and contains critical vulnerabilities > https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces > I suggest excluding the ignite-log4j module from ignite > Direct vulnerabilities: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 > As a result of the mentioned migration, the following changes will be applied: > 1. ignite-log4j.xml will be migrated to log4j2 format. Unfortunately after > the refactoring we will get two configuration ignite-log4j.xml and > ignite-log4j2.xml both in log4j2 format because ignite-log4j2.xml is in use > now and but provide log formatitng different from ignite-log4j.xml. > 2. core/src/test/config/log4j-test.xml will not be migrated to log4j2 because > it is used with compatibility tests. > 3. core/src/test/config/log4j2-test.xml is refactored to suite current log4j > format. The current version of core/src/test/config/log4j2-test.xml is > moved to the log4j2/src/test/config folder. > 4. osgi-paxlogging will be removed because it's only meant to provide some > log4j dependencies. We have no need in them now. > 5. Exception logging format will change slightly: > Before: > {code:java} > class org.apache.ignite.IgniteException: Platform error:System.Exception: > EXCEPTION_TEST_Warn > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) > at > org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67) > {code} > After: > {code:java} > org.apache.ignite.IgniteException: Platform error:System.Exception: > EXCEPTION_TEST_Warn > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) > at > org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) > at > org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67) > {code} > As you can see, only the first word "class" is omitted. > 6. All other files containing log4j configuration will be refactored to suite > log4j2 and will be renamed if previously their name allowed log4j to > automatically find them in the class path (e.g. log4j.xml -> log4j2.xml and > so on) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (IGNITE-16650) Exclude ignite-log4j, log4j 1.2.17
[ https://issues.apache.org/jira/browse/IGNITE-16650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mikhail Petrov updated IGNITE-16650: Description: log4j 1.2.17 is not supported and contains critical vulnerabilities https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces I suggest excluding the ignite-log4j module from ignite Direct vulnerabilities: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 As a result of the mentioned migration, the following changes will be applied: 1. ignite-log4j.xml will be migrated to log4j2 format. Unfortunately after the refactoring we will get two configuration ignite-log4j.xml and ignite-log4j2.xml both in log4j2 format because ignite-log4j2.xml is in use now and but provide log formatitng different from ignite-log4j.xml. 2. core/src/test/config/log4j-test.xml will not be migrated to log4j2 because it is used with compatibility tests. 3. core/src/test/config/log4j2-test.xml is refactored to suite current log4j format. The current version of core/src/test/config/log4j2-test.xml is moved to the log4j2/src/test/config folder. 4. osgi-paxlogging will be removed because it's only meant to provide some log4j dependencies. We have no need in them now. 5. Exception logging format will change slightly: Before: {code:java} class org.apache.ignite.IgniteException: Platform error:System.Exception: EXCEPTION_TEST_Warn at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) at org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67) {code} After: {code:java} org.apache.ignite.IgniteException: Platform error:System.Exception: EXCEPTION_TEST_Warn at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) at org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67) {code} As you can see, only the first word "class" is omitted. 6. All other files containing log4j configuration will be refactored to suite log4j2 and will be renamed if previously their name allowed log4j to automatically find them in the class path (e.g. log4j.xml -> log4j2.xml and so on) was: log4j 1.2.17 is not supported and contains critical vulnerabilities https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces I suggest excluding the ignite-log4j module from ignite Direct vulnerabilities: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 As a result of the mentioned migration, the following changes will be applied: 1. ignite-log4j.xml will be migrated to log4j2 format. Unfortunately after the refactoring we will get two configuration ignite-log4j.xml and ignite-log4j2.xml both in log4j2 format because the main goal of this refactoring is to keep current log formatting that is used with log4j intact. Currently ignite-log4j.xml and ignite-log4j2.xml provides different log formats for log4j and log4j2 respectively. 2. core/src/test/config/log4j-test.xml will not be migrated to log4j2 because it is used with compatibility tests. 3. core/src/test/config/log4j2-test.xml is refactored to suite current log4j format. The current version of core/src/test/config/log4j2-test.xml is moved to the log4j2/src/test/config folder. 4. osgi-paxlogging will be removed because it's only meant to provide some log4j dependencies. We have no need in them now. 5. Exception logging format will change slightly: Before: {code:java} class org.apache.ignite.IgniteException: Platform error:System.Exception: EXCEPTION_TEST_Warn at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) at or
[jira] [Updated] (IGNITE-16650) Exclude ignite-log4j, log4j 1.2.17
[ https://issues.apache.org/jira/browse/IGNITE-16650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mikhail Petrov updated IGNITE-16650: Description: log4j 1.2.17 is not supported and contains critical vulnerabilities https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces I suggest excluding the ignite-log4j module from ignite Direct vulnerabilities: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 As a result of the mentioned migration, the following changes will be applied: 1. ignite-log4j.xml will be migrated to log4j2 format. Unfortunately after the refactoring we will get two configuration ignite-log4j.xml and ignite-log4j2.xml both in log4j2 format because the main goal of this refactoring is to keep current log formatting that is used with log4j intact. Currently ignite-log4j.xml and ignite-log4j2.xml provides different log formats for log4j and log4j2 respectively. 2. core/src/test/config/log4j-test.xml will not be migrated to log4j2 because it is used with compatibility tests. 3. core/src/test/config/log4j2-test.xml is refactored to suite current log4j format. The current version of core/src/test/config/log4j2-test.xml is moved to the log4j2/src/test/config folder. 4. osgi-paxlogging will be removed because it's only meant to provide some log4j dependencies. We have no need in them now. 5. Exception logging format will change slightly: Before: {code:java} class org.apache.ignite.IgniteException: Platform error:System.Exception: EXCEPTION_TEST_Warn at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) at org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67) {code} After: {code:java} org.apache.ignite.IgniteException: Platform error:System.Exception: EXCEPTION_TEST_Warn at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) at org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67) {code} As you can see, only the first word "class" is omitted. 6. All other files containing log4j configuration will be refactored to suite log4j2 and will be renamed if previously their name allowed log4j to automatically find them in the class path (e.g. log4j.xml -> log4j2.xml and so on) was: log4j 1.2.17 is not supported and contains critical vulnerabilities https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces I suggest excluding the ignite-log4j module from ignite Direct vulnerabilities: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 As a result of the mentioned migration, the following changes will be applied: 1. ignite-log4j.xml will be migrated to log4j2 format. Unfortunately after the refactoring we will get two configuration ignite-log4j.xml and ignite-log4j2.xml both in log4j2 format because the main goal of this refactoring is to keep current log formatting that is used with log4j intact. Currently ignite-log4j.xml and ignite-log4j2.xml provides different log formats for log4j and log4j2 respectively. 2. core/src/test/config/log4j-test.xml will not be migrated to log4j2 because it is used in compatibility tests. 3. core/src/test/config/log4j2-test.xml is refactored to suite current log4j format. The current version of core/src/test/config/log4j2-test.xml is moved to the log4j2/src/test/config folder/ 4. osgi-paxlogging will be removed because it's only meant to provide some log4j dependencies. 5. Exception logging format will change slightly: Before: {code:java} class org.apache.ignite.IgniteException: Platform error:System.Exception: EXCEPTION_TEST_Warn at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) at org.apache.ignite.internal.processors.platform.P
[jira] [Updated] (IGNITE-16650) Exclude ignite-log4j, log4j 1.2.17
[ https://issues.apache.org/jira/browse/IGNITE-16650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mikhail Petrov updated IGNITE-16650: Description: log4j 1.2.17 is not supported and contains critical vulnerabilities https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces I suggest excluding the ignite-log4j module from ignite Direct vulnerabilities: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 As a result of the mentioned migration, the following changes will be applied: 1. ignite-log4j.xml will be migrated to log4j2 format. Unfortunately after the refactoring we will get two configuration ignite-log4j.xml and ignite-log4j2.xml both in log4j2 format because the main goal of this refactoring is to keep current log formatting that is used with log4j intact. Currently ignite-log4j.xml and ignite-log4j2.xml provides different log formats for log4j and log4j2 respectively. 2. core/src/test/config/log4j-test.xml will not be migrated to log4j2 because it is used in compatibility tests. 3. core/src/test/config/log4j2-test.xml is refactored to suite current log4j format. The current version of core/src/test/config/log4j2-test.xml is moved to the log4j2/src/test/config folder/ 4. osgi-paxlogging will be removed because it's only meant to provide some log4j dependencies. 5. Exception logging format will change slightly: Before: {code:java} class org.apache.ignite.IgniteException: Platform error:System.Exception: EXCEPTION_TEST_Warn at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) at org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67) {code} After: {code:java} org.apache.ignite.IgniteException: Platform error:System.Exception: EXCEPTION_TEST_Warn at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.loggerLog(PlatformProcessorImpl.java:449) at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:511) at org.apache.ignite.internal.processors.platform.PlatformProcessorImpl.processInStreamOutLong(PlatformProcessorImpl.java:575) at org.apache.ignite.internal.processors.platform.PlatformTargetProxyImpl.inStreamOutLong(PlatformTargetProxyImpl.java:67) {code} As we see - only the first "class" word is omitted. 6. All other files containing log4j configuration will be refactored to suite log4j2 and will be renamed if previously their name allowed log4j to automatically find them in the class path (e.g. log4j.xml -> log4j2.xml and so on) was: log4j 1.2.17 is not supported and contains critical vulnerabilities https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces I suggest excluding the ignite-log4j module from ignite Direct vulnerabilities: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 > Exclude ignite-log4j, log4j 1.2.17 > -- > > Key: IGNITE-16650 > URL: https://issues.apache.org/jira/browse/IGNITE-16650 > Project: Ignite > Issue Type: Bug >Reporter: Sergei Ryzhov >Assignee: Mikhail Petrov >Priority: Major > Labels: ise > Time Spent: 20m > Remaining Estimate: 0h > > log4j 1.2.17 is not supported and contains critical vulnerabilities > https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces > I suggest excluding the ignite-log4j module from ignite > Direct vulnerabilities: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 > As a result of the mentioned migration, the following changes will be applied: > 1. ignite-log4j.xml will be migrated to log4j2 format. Unfortunately after > the refactoring we will get two configuration ignite-log4j.xml and > ignite-log4j2.xml both in log4j2 format because the main goal of this > refactoring is to keep current log formatting that
[jira] [Updated] (IGNITE-16650) Exclude ignite-log4j, log4j 1.2.17
[ https://issues.apache.org/jira/browse/IGNITE-16650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sergei Ryzhov updated IGNITE-16650: --- Labels: ise (was: ) > Exclude ignite-log4j, log4j 1.2.17 > -- > > Key: IGNITE-16650 > URL: https://issues.apache.org/jira/browse/IGNITE-16650 > Project: Ignite > Issue Type: Bug >Reporter: Sergei Ryzhov >Assignee: Sergei Ryzhov >Priority: Major > Labels: ise > > log4j 1.2.17 is not supported and contains critical vulnerabilities > https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces > I suggest excluding the ignite-log4j module from ignite > Direct vulnerabilities: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 -- This message was sent by Atlassian Jira (v8.20.1#820001)