Note that he may also have a shaded jar that has Log4j embedded in it. That 
would be impossible for us to know without personally inspecting the deployment.

Ralph

> On Apr 21, 2023, at 12:51 PM, Christian Grobmeier <grobme...@apache.org> 
> wrote:
> 
> Hello Guru,
> 
> the only way to have this issue is with an outdated version of log4j on your 
> classpath.
> Can you check what classpath is being used in your container? There may be an 
> additional classpath that we are not aware of.
> 
> Could you let us know the full setup of your machine, in example: 
> - exact version of tomcat
> - how do you deploy things
> - have you probably included log4j in other components (fat jar)
> - what is the classpath definition of your application?
> 
> I know this is many things to ask, but the assumption is still there are two 
> different versions of log4j on your classpath. That's what I would check.
> 
> Kind regards,
> Christian
> 
> 
> On Fri, Apr 21, 2023, at 13:53, Gurumoorthi Vijayalingam wrote:
>> No, we are not deploying as war file. And the application /lib 
>> currently having followed log4j files. 
>> 
>> 
>> -rw-r-----. 1 fruser fruser   16431 Aug 25  2022 jcl-over-slf4j-1.7.21.jar
>> -rw-r-----. 1 fruser fruser    4597 Aug 25  2022 jul-to-slf4j-1.7.21.jar
>> -rw-r-----. 1 fruser fruser   41071 Aug 25  2022 slf4j-api-1.7.21.jar
>> -rw-r-----. 1 fruser fruser   16831 Aug 25  2022 i18n-slf4j-1.4.4.jar
>> -rwxr-xr-x. 1 fruser fruser  301872 Mar  2 17:28 log4j-api-2.17.1.jar
>> -rwxr-xr-x. 1 fruser fruser 1790452 Mar  2 17:28 log4j-core-2.17.1.jar
>> 
>> Regards,
>> Guru.
>> 
>> -----Original Message-----
>> From: Christian Grobmeier <grobme...@apache.org> 
>> Sent: Friday, April 21, 2023 4:55 PM
>> To: Gurumoorthi Vijayalingam <gvijayalin...@simeio.com>; 
>> dev@logging.apache.org
>> Subject: Re: [External] Re: Log4j Issue
>> 
>> CAUTION: This message was sent from outside of the company. Please do 
>> not click links or open attachments unless you recognize the source of 
>> this email and know the content is safe.
>> 
>> 
>> Are you deploying your application as a war file? If so, can you unzip 
>> that war file and search for log4j there?
>> 
>> --
>> The Apache Software Foundation
>> V.P., Data Privacy
>> 
>> On Fri, Apr 21, 2023, at 13:21, Gurumoorthi Vijayalingam wrote:
>>> No, am not able to find log4j version in tomcat lib folder. The 
>>> problem occurred when we upgraded the jar files from 2.2 t o2.17
>>> 
>>> 
>>> Regards,
>>> Guru.
>>> 
>>> -----Original Message-----
>>> From: Christian Grobmeier <grobme...@apache.org>
>>> Sent: Friday, April 21, 2023 4:36 PM
>>> To: Gurumoorthi Vijayalingam <gvijayalin...@simeio.com>; 
>>> dev@logging.apache.org
>>> Subject: Re: [External] Re: Log4j Issue
>>> 
>>> CAUTION: This message was sent from outside of the company. Please do 
>>> not click links or open attachments unless you recognize the source of 
>>> this email and know the content is safe.
>>> 
>>> 
>>> Hello Gurumoorthi,
>>> 
>>> please subscribe to dev@logging.apache.org by sending an empty message 
>>> to dev-subscr...@logging.apache.org.
>>> It is hard for our message moderators to manually moderate your 
>>> messages through.
>>> 
>>> You need to find the log4j version of Tomcat. Please search for this.
>>> it could be in the lib folder of Tomcat.
>>> 
>>> You can also search the whole installation of Tomcat for "log4j" or 
>>> "log4j-core-2.2.jar", then you should find it.
>>> 
>>> Kind regards,
>>> Christian
>>> 
>>> 
>>> --
>>> The Apache Software Foundation
>>> V.P., Data Privacy
>>> 
>>> On Fri, Apr 21, 2023, at 12:51, Gurumoorthi Vijayalingam wrote:
>>>> Any help on this request ? we stuck.
>>>> 
>>>> -----Original Message-----
>>>> From: Gurumoorthi Vijayalingam
>>>> Sent: Thursday, April 13, 2023 7:36 AM
>>>> To: Christian Grobmeier <grobme...@apache.org>; 
>>>> dev@logging.apache.org
>>>> Subject: RE: [External] Re: Log4j Issue
>>>> 
>>>> Hi Team,
>>>> 
>>>> We tried the steps as Christian mentioned in below email, but still 
>>>> getting same error. Please help us to fix this issue
>>>> 
>>>> Thanks,
>>>> Guru.
>>>> 
>>>> -----Original Message-----
>>>> From: Christian Grobmeier <grobme...@apache.org>
>>>> Sent: Tuesday, March 21, 2023 2:17 AM
>>>> To: Gurumoorthi Vijayalingam <gvijayalin...@simeio.com>; 
>>>> dev@logging.apache.org
>>>> Cc: Paolo Gil Ostrea <post...@simeio.com>; Roark Hamilton 
>>>> <rhamil...@simeio.com>; Bhavana Pujari <bapuj...@simeio.com>; 
>>>> Sireesha Kutala <skut...@simeio.com>
>>>> Subject: Re: [External] Re: Log4j Issue
>>>> 
>>>> CAUTION: This message was sent from outside of the company. Please do 
>>>> not click links or open attachments unless you recognize the source 
>>>> of this email and know the content is safe.
>>>> 
>>>> 
>>>> Hello Gurumoorthi,
>>>> 
>>>> Piotr already responded to your email:
>>>> 
>>>>> MapLookup#newMap changed from private (as in 2.2) to package (as in
>>>>> 2.17.1) in the course of history. Your Tomcat is picking up the 
>>>>> private one, which means that log4j-core-2.2.jar is still on the 
>>>>> classpath.
>>>>> Double check that the old Log4j2 version are no longer there and 
>>>>> restart Tomcat to be sure.
>>>>> 
>>>>> Piotr
>>>> 
>>>> If this information does not help you, respond to 
>>>> dev@logging.apache.org as Dominik told you.
>>>> 
>>>> Kind regards,
>>>> Christian
>>>> 
>>>> 
>>>> --
>>>> The Apache Software Foundation
>>>> V.P., Data Privacy
>>>> 
>>>> On Mon, Mar 20, 2023, at 17:27, Gurumoorthi Vijayalingam wrote:
>>>>> Hi Team,
>>>>> 
>>>>> Can you please help us to fix this issue.
>>>>> 
>>>>> Regards,
>>>>> Guru.
>>>>> 
>>>>> From: Dominik Psenner <dpsen...@gmail.com>
>>>>> Sent: 04 March 2023 02:16
>>>>> To: secur...@logging.apache.org
>>>>> Cc: Paolo Gil Ostrea <post...@simeio.com>; Roark Hamilton 
>>>>> <rhamil...@simeio.com>; Gurumoorthi Vijayalingam 
>>>>> <gvijayalin...@simeio.com>
>>>>> Subject: [External] Re: Log4j Issue
>>>>> 
>>>>> CAUTION: This message was sent from outside of the company. Please 
>>>>> do not click links or open attachments unless you recognize the 
>>>>> source of this email and know the content is safe.
>>>>> 
>>>>> Hi
>>>>> 
>>>>> I'm CCing the original author of the message. Please read below.
>>>>> Further please consider posting to the proper mailing list. The 
>>>>> request is not about a security issue and probably should have been 
>>>>> posted to dev@logging.apache.org<mailto:dev@logging.apache.org> 
>>>>> after subscribing to that mailing list.
>>>>> 
>>>>> Warm regards
>>>>> Dominik
>>>>> --
>>>>> Sent from my phone. Typos are a kind gift to anyone who happens to find 
>>>>> them.
>>>>> 
>>>>> On Fri, Mar 3, 2023, 21:17 Piotr P. Karwasz 
>>>>> <piotr.karw...@gmail.com<mailto:piotr.karw...@gmail.com>> wrote:
>>>>> Gurumoorthi,
>>>>> 
>>>>> On Fri, 3 Mar 2023 at 19:04, Gurumoorthi Vijayalingam 
>>>>> <gvijayalin...@simeio.com<mailto:gvijayalin...@simeio.com>> wrote:
>>>>>> Just attached the error message and log4j configuration for your 
>>>>>> reference.
>>>>> 
>>>>> MapLookup#newMap changed from private (as in 2.2) to package (as in
>>>>> 2.17.1) in the course of history. Your Tomcat is picking up the 
>>>>> private one, which means that log4j-core-2.2.jar is still on the 
>>>>> classpath.
>>>>> Double check that the old Log4j2 version are no longer there and 
>>>>> restart Tomcat to be sure.
>>>>> 
>>>>> Piotr

Reply via email to