Note that he may also have a shaded jar that has Log4j embedded in it. That would be impossible for us to know without personally inspecting the deployment.
Ralph > On Apr 21, 2023, at 12:51 PM, Christian Grobmeier <grobme...@apache.org> > wrote: > > Hello Guru, > > the only way to have this issue is with an outdated version of log4j on your > classpath. > Can you check what classpath is being used in your container? There may be an > additional classpath that we are not aware of. > > Could you let us know the full setup of your machine, in example: > - exact version of tomcat > - how do you deploy things > - have you probably included log4j in other components (fat jar) > - what is the classpath definition of your application? > > I know this is many things to ask, but the assumption is still there are two > different versions of log4j on your classpath. That's what I would check. > > Kind regards, > Christian > > > On Fri, Apr 21, 2023, at 13:53, Gurumoorthi Vijayalingam wrote: >> No, we are not deploying as war file. And the application /lib >> currently having followed log4j files. >> >> >> -rw-r-----. 1 fruser fruser 16431 Aug 25 2022 jcl-over-slf4j-1.7.21.jar >> -rw-r-----. 1 fruser fruser 4597 Aug 25 2022 jul-to-slf4j-1.7.21.jar >> -rw-r-----. 1 fruser fruser 41071 Aug 25 2022 slf4j-api-1.7.21.jar >> -rw-r-----. 1 fruser fruser 16831 Aug 25 2022 i18n-slf4j-1.4.4.jar >> -rwxr-xr-x. 1 fruser fruser 301872 Mar 2 17:28 log4j-api-2.17.1.jar >> -rwxr-xr-x. 1 fruser fruser 1790452 Mar 2 17:28 log4j-core-2.17.1.jar >> >> Regards, >> Guru. >> >> -----Original Message----- >> From: Christian Grobmeier <grobme...@apache.org> >> Sent: Friday, April 21, 2023 4:55 PM >> To: Gurumoorthi Vijayalingam <gvijayalin...@simeio.com>; >> dev@logging.apache.org >> Subject: Re: [External] Re: Log4j Issue >> >> CAUTION: This message was sent from outside of the company. Please do >> not click links or open attachments unless you recognize the source of >> this email and know the content is safe. >> >> >> Are you deploying your application as a war file? If so, can you unzip >> that war file and search for log4j there? >> >> -- >> The Apache Software Foundation >> V.P., Data Privacy >> >> On Fri, Apr 21, 2023, at 13:21, Gurumoorthi Vijayalingam wrote: >>> No, am not able to find log4j version in tomcat lib folder. The >>> problem occurred when we upgraded the jar files from 2.2 t o2.17 >>> >>> >>> Regards, >>> Guru. >>> >>> -----Original Message----- >>> From: Christian Grobmeier <grobme...@apache.org> >>> Sent: Friday, April 21, 2023 4:36 PM >>> To: Gurumoorthi Vijayalingam <gvijayalin...@simeio.com>; >>> dev@logging.apache.org >>> Subject: Re: [External] Re: Log4j Issue >>> >>> CAUTION: This message was sent from outside of the company. Please do >>> not click links or open attachments unless you recognize the source of >>> this email and know the content is safe. >>> >>> >>> Hello Gurumoorthi, >>> >>> please subscribe to dev@logging.apache.org by sending an empty message >>> to dev-subscr...@logging.apache.org. >>> It is hard for our message moderators to manually moderate your >>> messages through. >>> >>> You need to find the log4j version of Tomcat. Please search for this. >>> it could be in the lib folder of Tomcat. >>> >>> You can also search the whole installation of Tomcat for "log4j" or >>> "log4j-core-2.2.jar", then you should find it. >>> >>> Kind regards, >>> Christian >>> >>> >>> -- >>> The Apache Software Foundation >>> V.P., Data Privacy >>> >>> On Fri, Apr 21, 2023, at 12:51, Gurumoorthi Vijayalingam wrote: >>>> Any help on this request ? we stuck. >>>> >>>> -----Original Message----- >>>> From: Gurumoorthi Vijayalingam >>>> Sent: Thursday, April 13, 2023 7:36 AM >>>> To: Christian Grobmeier <grobme...@apache.org>; >>>> dev@logging.apache.org >>>> Subject: RE: [External] Re: Log4j Issue >>>> >>>> Hi Team, >>>> >>>> We tried the steps as Christian mentioned in below email, but still >>>> getting same error. Please help us to fix this issue >>>> >>>> Thanks, >>>> Guru. >>>> >>>> -----Original Message----- >>>> From: Christian Grobmeier <grobme...@apache.org> >>>> Sent: Tuesday, March 21, 2023 2:17 AM >>>> To: Gurumoorthi Vijayalingam <gvijayalin...@simeio.com>; >>>> dev@logging.apache.org >>>> Cc: Paolo Gil Ostrea <post...@simeio.com>; Roark Hamilton >>>> <rhamil...@simeio.com>; Bhavana Pujari <bapuj...@simeio.com>; >>>> Sireesha Kutala <skut...@simeio.com> >>>> Subject: Re: [External] Re: Log4j Issue >>>> >>>> CAUTION: This message was sent from outside of the company. Please do >>>> not click links or open attachments unless you recognize the source >>>> of this email and know the content is safe. >>>> >>>> >>>> Hello Gurumoorthi, >>>> >>>> Piotr already responded to your email: >>>> >>>>> MapLookup#newMap changed from private (as in 2.2) to package (as in >>>>> 2.17.1) in the course of history. Your Tomcat is picking up the >>>>> private one, which means that log4j-core-2.2.jar is still on the >>>>> classpath. >>>>> Double check that the old Log4j2 version are no longer there and >>>>> restart Tomcat to be sure. >>>>> >>>>> Piotr >>>> >>>> If this information does not help you, respond to >>>> dev@logging.apache.org as Dominik told you. >>>> >>>> Kind regards, >>>> Christian >>>> >>>> >>>> -- >>>> The Apache Software Foundation >>>> V.P., Data Privacy >>>> >>>> On Mon, Mar 20, 2023, at 17:27, Gurumoorthi Vijayalingam wrote: >>>>> Hi Team, >>>>> >>>>> Can you please help us to fix this issue. >>>>> >>>>> Regards, >>>>> Guru. >>>>> >>>>> From: Dominik Psenner <dpsen...@gmail.com> >>>>> Sent: 04 March 2023 02:16 >>>>> To: secur...@logging.apache.org >>>>> Cc: Paolo Gil Ostrea <post...@simeio.com>; Roark Hamilton >>>>> <rhamil...@simeio.com>; Gurumoorthi Vijayalingam >>>>> <gvijayalin...@simeio.com> >>>>> Subject: [External] Re: Log4j Issue >>>>> >>>>> CAUTION: This message was sent from outside of the company. Please >>>>> do not click links or open attachments unless you recognize the >>>>> source of this email and know the content is safe. >>>>> >>>>> Hi >>>>> >>>>> I'm CCing the original author of the message. Please read below. >>>>> Further please consider posting to the proper mailing list. The >>>>> request is not about a security issue and probably should have been >>>>> posted to dev@logging.apache.org<mailto:dev@logging.apache.org> >>>>> after subscribing to that mailing list. >>>>> >>>>> Warm regards >>>>> Dominik >>>>> -- >>>>> Sent from my phone. Typos are a kind gift to anyone who happens to find >>>>> them. >>>>> >>>>> On Fri, Mar 3, 2023, 21:17 Piotr P. Karwasz >>>>> <piotr.karw...@gmail.com<mailto:piotr.karw...@gmail.com>> wrote: >>>>> Gurumoorthi, >>>>> >>>>> On Fri, 3 Mar 2023 at 19:04, Gurumoorthi Vijayalingam >>>>> <gvijayalin...@simeio.com<mailto:gvijayalin...@simeio.com>> wrote: >>>>>> Just attached the error message and log4j configuration for your >>>>>> reference. >>>>> >>>>> MapLookup#newMap changed from private (as in 2.2) to package (as in >>>>> 2.17.1) in the course of history. Your Tomcat is picking up the >>>>> private one, which means that log4j-core-2.2.jar is still on the >>>>> classpath. >>>>> Double check that the old Log4j2 version are no longer there and >>>>> restart Tomcat to be sure. >>>>> >>>>> Piotr