[slf4j-dev] [JIRA] (SLF4J-491) Deprecate or remove slf4j-log4j12
QOS.CH (JIRA)
noreply-jira at qos.ch
Thu May 7 09:18:00 CEST 2020
Joachim Durchholz created SLF4J-491:
---------------------------------------
Summary: Deprecate or remove slf4j-log4j12
Key: SLF4J-491
URL: https://jira.qos.ch/browse/SLF4J-491
Project: SLF4J
Issue Type: Task
Components: Implementations
Reporter: Joachim Durchholz
Assignee: SLF4J developers list
[http://logging.apache.org/log4j/1.2/index.html] states that log4j 1.2 has an unresolved security hole (unvalidated deserialization, remotely exploitable without authorization).
_Java 9 having a different version string format broke log4j's version string parsing, introducing bugs into its MDC implementation, but that's much less important._
Options for the documentation:
# Add a warning to the SLF4J manual that slf4j-log4j12 should not be used anymore.
# Remove mentions of slf4j-log4j12 entirely.
Options for the code:
Since slf4j-log4j12 cannot be removed from Maven repositories, a new version that warns about the issue should be released:
# Make it output an ERROR, stating "log4j 1.2 has an unfixed security hole; your application can be hacked by anybody with network access (CVE-2019-17571). Migrate to another logging backend as soon as possible."
# As above, but make it abort startup. (That's probably too much, there could be edge cases where an organization cannot migrate and cannot downgrade back to a previous, working slkf4j-log4j12.)
--
This message was sent by Atlassian Jira
(v8.8.0#808000)
More information about the slf4j-dev
mailing list