[jira] [Comment Edited] (LOG4J2-3383) JMS Log deserialization is failing on jboss eap after upgrade to 2.17.1
[ https://issues.apache.org/jira/browse/LOG4J2-3383?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17485415#comment-17485415 ] Ralph Goers edited comment on LOG4J2-3383 at 2/1/22, 6:45 PM: -- CVE-2017-5645 started our hunt for Serialization/Deserialization issues within Log4j. The change that causes the error message you get wasn't a direct result of that CVE but a bug we found as a result of the fix from that CVE. Note that LOG4j2-1958 deprecated SerializedLayout. Today we recommend using JsonTemplateLayout. Relevant Jira issues: https://issues.apache.org/jira/browse/LOG4J2-1958, https://issues.apache.org/jira/browse/LOG4J2-1863, and https://issues.apache.org/jira/browse/LOG4J2-2163 Log4j 2 doesn't provide a JMS Sink/Server. How to use a FilteredObjectInputStream would require knowing what JMS server you are using. Note that if you are using Java 9 or greater you can also use the JDK's ObjectInputFilter. I wouldn't be surprised if third party tooling automatically uses that. Note that XML is perfectly valid inside of JSON so long as it is treated as a Java String when the JSON is constructed. For the benefit of [~ggregory] this behavior seems to have been added in Log4j 2.10.0. was (Author: ralph.go...@dslextreme.com): CVE-2017-5645 started our hunt for Serialization/Deserialization issues within Log4j. The change that causes the error message you get wasn't a direct result of that CVE but a bug we found as a result of the fix from that CVE. Note that LOG4j2-1958 deprecated SerializedLayout. Today we recommend using JsonTemplateLayout. Relevant Jira issues: https://issues.apache.org/jira/browse/LOG4J2-1958, https://issues.apache.org/jira/browse/LOG4J2-1863, and https://issues.apache.org/jira/browse/LOG4J2-2163 Log4j 2 doesn't provide a JMS Sink/Server. How to use a FilteredObjectInputStream would require knowing what JMS server you are using. Note that if you are using Java 9 or greater you can also use the JDK's ObjectInputFilter. I wouldn't be surprised if third party tooling automatically uses that. Note that XML is perfectly valid inside of JSON so long as it is treated as a Java String when the JSON is constructed. > JMS Log deserialization is failing on jboss eap after upgrade to 2.17.1 > --- > > Key: LOG4J2-3383 > URL: https://issues.apache.org/jira/browse/LOG4J2-3383 > Project: Log4j 2 > Issue Type: Question > Components: Appenders >Affects Versions: 2.17.1 > Environment: JBoss EAP 7.2.0 on linux and windows. > Jboss is using JMS client lib: artemis-jms-client-2.6.3.redhat-00014 >Reporter: leor amikam >Priority: Critical > > We upgraded log4j2 from 2.9.0 to 2.17.1. Using the JMS appender. In our > onMessage JMS handler, we have the following: > > {code:java} > ObjectMessage objMessage = (ObjectMessage) message; > LogEvent ev = (LogEvent) objMessage.getObject(); > > {code} > > The cast to the LogEvent is now throwing this exception: > {code:java} > javax.jms.JMSException: readObject requires a FilteredObjectInputStream or an > ObjectInputStream that accepts an ObjectInputFilter{code} > > Here is the lo4j2.xml config for the appender > > destinationBindingName="jms/queue/AuditQueue" > factoryBindingName="jms/RemoteConnectionFactory" > providerURL="http-remoting://127.0.0.1:8080" > username="" > password="" > > factoryName="org.wildfly.naming.client.WildFlyInitialContextFactory" > > > > > > > > None of the underlying code has changed other than the log4j2 upgrade. Any > suggestions? > Thanks! -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Comment Edited] (LOG4J2-3383) JMS Log deserialization is failing on jboss eap after upgrade to 2.17.1
[ https://issues.apache.org/jira/browse/LOG4J2-3383?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17485415#comment-17485415 ] Ralph Goers edited comment on LOG4J2-3383 at 2/1/22, 6:44 PM: -- CVE-2017-5645 started our hunt for Serialization/Deserialization issues within Log4j. The change that causes the error message you get wasn't a direct result of that CVE but a bug we found as a result of the fix from that CVE. Note that LOG4j2-1958 deprecated SerializedLayout. Today we recommend using JsonTemplateLayout. Relevant Jira issues: https://issues.apache.org/jira/browse/LOG4J2-1958, https://issues.apache.org/jira/browse/LOG4J2-1863, and https://issues.apache.org/jira/browse/LOG4J2-2163 Log4j 2 doesn't provide a JMS Sink/Server. How to use a FilteredObjectInputStream would require knowing what JMS server you are using. Note that if you are using Java 9 or greater you can also use the JDK's ObjectInputFilter. I wouldn't be surprised if third party tooling automatically uses that. Note that XML is perfectly valid inside of JSON so long as it is treated as a Java String when the JSON is constructed. was (Author: ralph.go...@dslextreme.com): CVE-2017-5645 started our hunt for Serialization/Deserialization issues within Log4j. The change that causes the error message you get wasn't a direct result of that CVE but a bug we found as a result of the fix from that CVE. Note that LOG4j2-1958 deprecated SerializedLayout. Today we recommend using JsonTemplateLayout. Relevant Jira issues: https://issues.apache.org/jira/browse/LOG4J2-1958, https://issues.apache.org/jira/browse/LOG4J2-1863, and https://issues.apache.org/jira/browse/LOG4J2-2163 Log4j 2 doesn't provide a JMS Sink/Server. How to use a FilteredObjectInputStream would require knowing what JMS server you are using. Note that if you are using Java 9 or greater you can also use the JDK's ObjectInputFilter. I wouldn't be surprised if third party tooling automatically uses that. > JMS Log deserialization is failing on jboss eap after upgrade to 2.17.1 > --- > > Key: LOG4J2-3383 > URL: https://issues.apache.org/jira/browse/LOG4J2-3383 > Project: Log4j 2 > Issue Type: Question > Components: Appenders >Affects Versions: 2.17.1 > Environment: JBoss EAP 7.2.0 on linux and windows. > Jboss is using JMS client lib: artemis-jms-client-2.6.3.redhat-00014 >Reporter: leor amikam >Priority: Critical > > We upgraded log4j2 from 2.9.0 to 2.17.1. Using the JMS appender. In our > onMessage JMS handler, we have the following: > > {code:java} > ObjectMessage objMessage = (ObjectMessage) message; > LogEvent ev = (LogEvent) objMessage.getObject(); > > {code} > > The cast to the LogEvent is now throwing this exception: > {code:java} > javax.jms.JMSException: readObject requires a FilteredObjectInputStream or an > ObjectInputStream that accepts an ObjectInputFilter{code} > > Here is the lo4j2.xml config for the appender > > destinationBindingName="jms/queue/AuditQueue" > factoryBindingName="jms/RemoteConnectionFactory" > providerURL="http-remoting://127.0.0.1:8080" > username="" > password="" > > factoryName="org.wildfly.naming.client.WildFlyInitialContextFactory" > > > > > > > > None of the underlying code has changed other than the log4j2 upgrade. Any > suggestions? > Thanks! -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Comment Edited] (LOG4J2-3383) JMS Log deserialization is failing on jboss eap after upgrade to 2.17.1
[ https://issues.apache.org/jira/browse/LOG4J2-3383?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17485415#comment-17485415 ] Ralph Goers edited comment on LOG4J2-3383 at 2/1/22, 6:42 PM: -- CVE-2017-5645 started our hunt for Serialization/Deserialization issues within Log4j. The change that causes the error message you get wasn't a direct result of that CVE but a bug we found as a result of the fix from that CVE. Note that LOG4j2-1958 deprecated SerializedLayout. Today we recommend using JsonTemplateLayout. Relevant Jira issues: https://issues.apache.org/jira/browse/LOG4J2-1958, https://issues.apache.org/jira/browse/LOG4J2-1863, and https://issues.apache.org/jira/browse/LOG4J2-2163 Log4j 2 doesn't provide a JMS Sink/Server. How to use a FilteredObjectInputStream would require knowing what JMS server you are using. Note that if you are using Java 9 or greater you can also use the JDK's ObjectInputFilter. I wouldn't be surprised if third party tooling automatically uses that. was (Author: ralph.go...@dslextreme.com): CVE-2017-5645 started our hunt for Serialization/Deserialization issues within Log4j. The change that causes the error message you get wasn't a direct result of that CVE but a bug we found as a result of the fix from that CVE. Note that LOG4j2-1958 deprecated SerializedLayout. Today we recommend using JsonTemplateLayout. Relevant Jira issues: https://issues.apache.org/jira/browse/LOG4J2-1958, https://issues.apache.org/jira/browse/LOG4J2-1863, and https://issues.apache.org/jira/browse/LOG4J2-2163 > JMS Log deserialization is failing on jboss eap after upgrade to 2.17.1 > --- > > Key: LOG4J2-3383 > URL: https://issues.apache.org/jira/browse/LOG4J2-3383 > Project: Log4j 2 > Issue Type: Question > Components: Appenders >Affects Versions: 2.17.1 > Environment: JBoss EAP 7.2.0 on linux and windows. > Jboss is using JMS client lib: artemis-jms-client-2.6.3.redhat-00014 >Reporter: leor amikam >Priority: Critical > > We upgraded log4j2 from 2.9.0 to 2.17.1. Using the JMS appender. In our > onMessage JMS handler, we have the following: > > {code:java} > ObjectMessage objMessage = (ObjectMessage) message; > LogEvent ev = (LogEvent) objMessage.getObject(); > > {code} > > The cast to the LogEvent is now throwing this exception: > {code:java} > javax.jms.JMSException: readObject requires a FilteredObjectInputStream or an > ObjectInputStream that accepts an ObjectInputFilter{code} > > Here is the lo4j2.xml config for the appender > > destinationBindingName="jms/queue/AuditQueue" > factoryBindingName="jms/RemoteConnectionFactory" > providerURL="http-remoting://127.0.0.1:8080" > username="" > password="" > > factoryName="org.wildfly.naming.client.WildFlyInitialContextFactory" > > > > > > > > None of the underlying code has changed other than the log4j2 upgrade. Any > suggestions? > Thanks! -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Comment Edited] (LOG4J2-3383) JMS Log deserialization is failing on jboss eap after upgrade to 2.17.1
[ https://issues.apache.org/jira/browse/LOG4J2-3383?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17485275#comment-17485275 ] leor amikam edited comment on LOG4J2-3383 at 2/1/22, 2:25 PM: -- [~rgoers] is there any doc on how to hook in a FilteredObjectInputStream into the JMS message deserialization? Is that something setup in the log4j.xml file? I can't change the format because we have embedded XML in there right now. Thanks was (Author: leor.ami...@hsntech.com): [~rgoers] is there any doc on how to hook in a FilteredObjectInputStream into the JMS message deserialization? I can't change the format because we have embedded XML in there right now. Thanks > JMS Log deserialization is failing on jboss eap after upgrade to 2.17.1 > --- > > Key: LOG4J2-3383 > URL: https://issues.apache.org/jira/browse/LOG4J2-3383 > Project: Log4j 2 > Issue Type: Question > Components: Appenders >Affects Versions: 2.17.1 > Environment: JBoss EAP 7.2.0 on linux and windows. > Jboss is using JMS client lib: artemis-jms-client-2.6.3.redhat-00014 >Reporter: leor amikam >Priority: Critical > > We upgraded log4j2 from 2.9.0 to 2.17.1. Using the JMS appender. In our > onMessage JMS handler, we have the following: > > {code:java} > ObjectMessage objMessage = (ObjectMessage) message; > LogEvent ev = (LogEvent) objMessage.getObject(); > > {code} > > The cast to the LogEvent is now throwing this exception: > {code:java} > javax.jms.JMSException: readObject requires a FilteredObjectInputStream or an > ObjectInputStream that accepts an ObjectInputFilter{code} > > Here is the lo4j2.xml config for the appender > > destinationBindingName="jms/queue/AuditQueue" > factoryBindingName="jms/RemoteConnectionFactory" > providerURL="http-remoting://127.0.0.1:8080" > username="" > password="" > > factoryName="org.wildfly.naming.client.WildFlyInitialContextFactory" > > > > > > > > None of the underlying code has changed other than the log4j2 upgrade. Any > suggestions? > Thanks! -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Comment Edited] (LOG4J2-3383) JMS Log deserialization is failing on jboss eap after upgrade to 2.17.1
[ https://issues.apache.org/jira/browse/LOG4J2-3383?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17485275#comment-17485275 ] leor amikam edited comment on LOG4J2-3383 at 2/1/22, 2:24 PM: -- [~rgoers] is there any doc on how to hook in a FilteredObjectInputStream into the JMS message deserialization? I can't change the format because we have embedded XML in there right now. Thanks was (Author: leor.ami...@hsntech.com): [~rgoers] is there any doc on how to hook in a FilteredObjectInputStream into the JMS message deserialization? Thanks > JMS Log deserialization is failing on jboss eap after upgrade to 2.17.1 > --- > > Key: LOG4J2-3383 > URL: https://issues.apache.org/jira/browse/LOG4J2-3383 > Project: Log4j 2 > Issue Type: Question > Components: Appenders >Affects Versions: 2.17.1 > Environment: JBoss EAP 7.2.0 on linux and windows. > Jboss is using JMS client lib: artemis-jms-client-2.6.3.redhat-00014 >Reporter: leor amikam >Priority: Critical > > We upgraded log4j2 from 2.9.0 to 2.17.1. Using the JMS appender. In our > onMessage JMS handler, we have the following: > > {code:java} > ObjectMessage objMessage = (ObjectMessage) message; > LogEvent ev = (LogEvent) objMessage.getObject(); > > {code} > > The cast to the LogEvent is now throwing this exception: > {code:java} > javax.jms.JMSException: readObject requires a FilteredObjectInputStream or an > ObjectInputStream that accepts an ObjectInputFilter{code} > > Here is the lo4j2.xml config for the appender > > destinationBindingName="jms/queue/AuditQueue" > factoryBindingName="jms/RemoteConnectionFactory" > providerURL="http-remoting://127.0.0.1:8080" > username="" > password="" > > factoryName="org.wildfly.naming.client.WildFlyInitialContextFactory" > > > > > > > > None of the underlying code has changed other than the log4j2 upgrade. Any > suggestions? > Thanks! -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Comment Edited] (LOG4J2-3383) JMS Log deserialization is failing on jboss eap after upgrade to 2.17.1
[ https://issues.apache.org/jira/browse/LOG4J2-3383?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17485260#comment-17485260 ] Gary D. Gregory edited comment on LOG4J2-3383 at 2/1/22, 2:05 PM: -- Hello [~leor.ami...@hsntech.com] I do not see anything obvious looking at the release notes. If you are 100% sure that the only thing you have changed is Log4j, then I would look to see in which Log4j version this behavior first appears. Then, we can dig deeper. was (Author: garydgregory): Hello [~leor.ami...@hsntech.com] I do not see anything obvious looking at the release notes. If you are 100% sure that the only thing you have changed is Log4j, then I would look to see in which Log4j version this behavior first appears. > JMS Log deserialization is failing on jboss eap after upgrade to 2.17.1 > --- > > Key: LOG4J2-3383 > URL: https://issues.apache.org/jira/browse/LOG4J2-3383 > Project: Log4j 2 > Issue Type: Question > Components: Appenders >Affects Versions: 2.17.1 > Environment: JBoss EAP 7.2.0 on linux and windows. > Jboss is using JMS client lib: artemis-jms-client-2.6.3.redhat-00014 >Reporter: leor amikam >Priority: Critical > > We upgraded log4j2 from 2.9.0 to 2.17.1. Using the JMS appender. In our > onMessage JMS handler, we have the following: > > {code:java} > ObjectMessage objMessage = (ObjectMessage) message; > LogEvent ev = (LogEvent) objMessage.getObject(); > > {code} > > The cast to the LogEvent is now throwing this exception: > {code:java} > javax.jms.JMSException: readObject requires a FilteredObjectInputStream or an > ObjectInputStream that accepts an ObjectInputFilter{code} > > Here is the lo4j2.xml config for the appender > > destinationBindingName="jms/queue/AuditQueue" > factoryBindingName="jms/RemoteConnectionFactory" > providerURL="http-remoting://127.0.0.1:8080" > username="" > password="" > > factoryName="org.wildfly.naming.client.WildFlyInitialContextFactory" > > > > > > > > None of the underlying code has changed other than the log4j2 upgrade. Any > suggestions? > Thanks! -- This message was sent by Atlassian Jira (v8.20.1#820001)