-
Notifications
You must be signed in to change notification settings - Fork 907
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade to log4j2 to get rid of CVE-2019-17571 #2815
Labels
Comments
zymap
pushed a commit
that referenced
this issue
Oct 15, 2021
### Motivation Upgrades to log4j2 to get rid of CVE-2019-17571. ### Changes The migration of log4j has been done mainly taking the official guidelines: https://logging.apache.org/log4j/2.x/manual/migration.html. In this PR, the following changes are included: - Replacement of `slf4j-log4j12` by `log4j-1.2-api`. Also included the `log4j-slf4j-impl` binding as well as the `log4j-core` library. - Changes in `pom`, `gradle` and license files to reflect the above library upgrade. - Test classes `TestOrderedExecutorDecorators`, `LoggerOutput`, `MdcContextTest`, as well as the class `FIleSystemUpgrade` made use of log4j1.2 API. This PR attempts to keep the same functionality with the new APIs. ### Verification - Existing tests are passing. - log4j1.2 is removed from project: #2816 (comment) - Using `localbookie`, we observe that logs are shown correctly: ``` 2021-10-07T16:04:23,757 - INFO - [main:GarbageCollectorThread@245] - Minor Compaction : enabled=true, threshold=0.20000000298023224, interval=3600000 2021-10-07T16:04:23,760 - INFO - [main:GarbageCollectorThread@247] - Major Compaction : enabled=true, threshold=0.800000011920929, interval=86400000 2021-10-07T16:04:23,952 - INFO - [main:BookieImpl@920] - Finished replaying journal in 2 ms. 2021-10-07T16:04:23,958 - INFO - [SyncThread-7-1:SyncThread@135] - Flush ledger storage at checkpoint CheckpointList{checkpoints=[LogMark: logFileId - 0 , logFileOffset - 0]}. 2021-10-07T16:04:23,980 - INFO - [main:BookieImpl@1010] - Finished reading journal, starting bookie 2021-10-07T16:04:24,011 - INFO - [BookieJournal-5000:Journal@919] - Starting journal on /tmp/localbookkeeper06554024139823286046test/current 2021-10-07T16:04:24,031 - INFO - [ForceWriteThread:Journal$ForceWriteThread@478] - ForceWrite Thread started 2021-10-07T16:04:24,048 - INFO - [BookieJournal-5000:JournalChannel@169] - Opening journal /tmp/localbookkeeper06554024139823286046test/current/17c5b11c65b.txn ``` In addition to that, if we change the `log4j.properties` file, the changes are reflected in the console output, meaning that the legacy configuration works and changes can be correctly applied: ``` Over Replicated Ledger Deletion : enabled=true, interval=86400000 Minor Compaction : enabled=true, threshold=0.20000000298023224, interval=3600000 Major Compaction : enabled=true, threshold=0.800000011920929, interval=86400000 Finished replaying journal in 5 ms. Flush ledger storage at checkpoint CheckpointList{checkpoints=[LogMark: logFileId - 0 , logFileOffset - 0]}. Finished reading journal, starting bookie Starting journal on /tmp/localbookkeeper015049859959001160726test/current ForceWrite Thread started Opening journal /tmp/localbookkeeper015049859959001160726test/current/17c5b143063.txn ``` More verifications that logging works properly related to other Bookkeeper sub-components impacted may be needed. Master Issue: #2815
Closed via #2816. |
Ghatage
pushed a commit
to sijie/bookkeeper
that referenced
this issue
Jul 12, 2024
### Motivation Upgrades to log4j2 to get rid of CVE-2019-17571. ### Changes The migration of log4j has been done mainly taking the official guidelines: https://logging.apache.org/log4j/2.x/manual/migration.html. In this PR, the following changes are included: - Replacement of `slf4j-log4j12` by `log4j-1.2-api`. Also included the `log4j-slf4j-impl` binding as well as the `log4j-core` library. - Changes in `pom`, `gradle` and license files to reflect the above library upgrade. - Test classes `TestOrderedExecutorDecorators`, `LoggerOutput`, `MdcContextTest`, as well as the class `FIleSystemUpgrade` made use of log4j1.2 API. This PR attempts to keep the same functionality with the new APIs. ### Verification - Existing tests are passing. - log4j1.2 is removed from project: apache#2816 (comment) - Using `localbookie`, we observe that logs are shown correctly: ``` 2021-10-07T16:04:23,757 - INFO - [main:GarbageCollectorThread@245] - Minor Compaction : enabled=true, threshold=0.20000000298023224, interval=3600000 2021-10-07T16:04:23,760 - INFO - [main:GarbageCollectorThread@247] - Major Compaction : enabled=true, threshold=0.800000011920929, interval=86400000 2021-10-07T16:04:23,952 - INFO - [main:BookieImpl@920] - Finished replaying journal in 2 ms. 2021-10-07T16:04:23,958 - INFO - [SyncThread-7-1:SyncThread@135] - Flush ledger storage at checkpoint CheckpointList{checkpoints=[LogMark: logFileId - 0 , logFileOffset - 0]}. 2021-10-07T16:04:23,980 - INFO - [main:BookieImpl@1010] - Finished reading journal, starting bookie 2021-10-07T16:04:24,011 - INFO - [BookieJournal-5000:Journal@919] - Starting journal on /tmp/localbookkeeper06554024139823286046test/current 2021-10-07T16:04:24,031 - INFO - [ForceWriteThread:Journal$ForceWriteThread@478] - ForceWrite Thread started 2021-10-07T16:04:24,048 - INFO - [BookieJournal-5000:JournalChannel@169] - Opening journal /tmp/localbookkeeper06554024139823286046test/current/17c5b11c65b.txn ``` In addition to that, if we change the `log4j.properties` file, the changes are reflected in the console output, meaning that the legacy configuration works and changes can be correctly applied: ``` Over Replicated Ledger Deletion : enabled=true, interval=86400000 Minor Compaction : enabled=true, threshold=0.20000000298023224, interval=3600000 Major Compaction : enabled=true, threshold=0.800000011920929, interval=86400000 Finished replaying journal in 5 ms. Flush ledger storage at checkpoint CheckpointList{checkpoints=[LogMark: logFileId - 0 , logFileOffset - 0]}. Finished reading journal, starting bookie Starting journal on /tmp/localbookkeeper015049859959001160726test/current ForceWrite Thread started Opening journal /tmp/localbookkeeper015049859959001160726test/current/17c5b143063.txn ``` More verifications that logging works properly related to other Bookkeeper sub-components impacted may be needed. Master Issue: apache#2815
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
BUG REPORT
Describe the bug
Log4j1.x has a relevant and public security vulnerability: CVE-2019-17571. The solution is to upgrade Bookkeeper to log4j2 to remove that CVE.
To Reproduce
Scanning Bookkeeper image reports this CVE.
Expected behavior
Remove CVE from Bookkeeper.
Screenshots
n/a
Additional context
n/a
The text was updated successfully, but these errors were encountered: