Re: [External] Re: Log4j Issue

[Christian Grobmeier]

Hello Gurumoorthi,

please subscribe to dev@logging.apache.org by sending an empty message to 
dev-subscr...@logging.apache.org.
It is hard for our message moderators to manually moderate your messages 
through.

You need to find the log4j version of Tomcat. Please search for this. it could 
be in the lib folder of Tomcat.

You can also search the whole installation of Tomcat for "log4j" or 
"log4j-core-2.2.jar", then you should find it.

Kind regards,
Christian


--
The Apache Software Foundation
V.P., Data Privacy

On Fri, Apr 21, 2023, at 12:51, Gurumoorthi Vijayalingam wrote:
> Any help on this request ? we stuck. 
>
> -Original Message-
> From: Gurumoorthi Vijayalingam 
> Sent: Thursday, April 13, 2023 7:36 AM
> To: Christian Grobmeier ; dev@logging.apache.org
> Subject: RE: [External] Re: Log4j Issue
>
> Hi Team,
>
> We tried the steps as Christian mentioned in below email, but still 
> getting same error. Please help us to fix this issue 
>
> Thanks,
> Guru.
>
> -Original Message-
> From: Christian Grobmeier 
> Sent: Tuesday, March 21, 2023 2:17 AM
> To: Gurumoorthi Vijayalingam ; 
> dev@logging.apache.org
> Cc: Paolo Gil Ostrea ; Roark Hamilton 
> ; Bhavana Pujari ; Sireesha 
> Kutala 
> Subject: Re: [External] Re: Log4j Issue
>
> CAUTION: This message was sent from outside of the company. Please do 
> not click links or open attachments unless you recognize the source of 
> this email and know the content is safe.
>
>
> Hello Gurumoorthi,
>
> Piotr already responded to your email:
>
>> MapLookup#newMap changed from private (as in 2.2) to package (as in
>> 2.17.1) in the course of history. Your Tomcat is picking up the 
>> private one, which means that log4j-core-2.2.jar is still on the 
>> classpath.
>> Double check that the old Log4j2 version are no longer there and 
>> restart Tomcat to be sure.
>>
>> Piotr
>
> If this information does not help you, respond to 
> dev@logging.apache.org as Dominik told you.
>
> Kind regards,
> Christian
>
>
> --
> The Apache Software Foundation
> V.P., Data Privacy
>
> On Mon, Mar 20, 2023, at 17:27, Gurumoorthi Vijayalingam wrote:
>> Hi Team,
>>
>> Can you please help us to fix this issue.
>>
>> Regards,
>> Guru.
>>
>> From: Dominik Psenner 
>> Sent: 04 March 2023 02:16
>> To: secur...@logging.apache.org
>> Cc: Paolo Gil Ostrea ; Roark Hamilton 
>> ; Gurumoorthi Vijayalingam 
>> 
>> Subject: [External] Re: Log4j Issue
>>
>> CAUTION: This message was sent from outside of the company. Please do 
>> not click links or open attachments unless you recognize the source of 
>> this email and know the content is safe.
>>
>> Hi
>>
>> I'm CCing the original author of the message. Please read below.
>> Further please consider posting to the proper mailing list. The 
>> request is not about a security issue and probably should have been 
>> posted to dev@logging.apache.org after 
>> subscribing to that mailing list.
>>
>> Warm regards
>> Dominik
>> --
>> Sent from my phone. Typos are a kind gift to anyone who happens to find them.
>>
>> On Fri, Mar 3, 2023, 21:17 Piotr P. Karwasz 
>> mailto:piotr.karw...@gmail.com>> wrote:
>> Gurumoorthi,
>>
>> On Fri, 3 Mar 2023 at 19:04, Gurumoorthi Vijayalingam 
>> mailto:gvijayalin...@simeio.com>> wrote:
>>> Just attached the error message and log4j configuration for your reference.
>>
>> MapLookup#newMap changed from private (as in 2.2) to package (as in
>> 2.17.1) in the course of history. Your Tomcat is picking up the 
>> private one, which means that log4j-core-2.2.jar is still on the 
>> classpath.
>> Double check that the old Log4j2 version are no longer there and 
>> restart Tomcat to be sure.
>>
>> Piotr

RE: [External] Re: Log4j Issue

[Gurumoorthi Vijayalingam]

Any help on this request ? we stuck. 

-Original Message-
From: Gurumoorthi Vijayalingam 
Sent: Thursday, April 13, 2023 7:36 AM
To: Christian Grobmeier ; dev@logging.apache.org
Subject: RE: [External] Re: Log4j Issue

Hi Team,

We tried the steps as Christian mentioned in below email, but still getting 
same error. Please help us to fix this issue 

Thanks,
Guru.

-Original Message-
From: Christian Grobmeier 
Sent: Tuesday, March 21, 2023 2:17 AM
To: Gurumoorthi Vijayalingam ; dev@logging.apache.org
Cc: Paolo Gil Ostrea ; Roark Hamilton 
; Bhavana Pujari ; Sireesha Kutala 

Subject: Re: [External] Re: Log4j Issue

CAUTION: This message was sent from outside of the company. Please do not click 
links or open attachments unless you recognize the source of this email and 
know the content is safe.


Hello Gurumoorthi,

Piotr already responded to your email:

> MapLookup#newMap changed from private (as in 2.2) to package (as in
> 2.17.1) in the course of history. Your Tomcat is picking up the 
> private one, which means that log4j-core-2.2.jar is still on the 
> classpath.
> Double check that the old Log4j2 version are no longer there and 
> restart Tomcat to be sure.
>
> Piotr

If this information does not help you, respond to dev@logging.apache.org as 
Dominik told you.

Kind regards,
Christian


--
The Apache Software Foundation
V.P., Data Privacy

On Mon, Mar 20, 2023, at 17:27, Gurumoorthi Vijayalingam wrote:
> Hi Team,
>
> Can you please help us to fix this issue.
>
> Regards,
> Guru.
>
> From: Dominik Psenner 
> Sent: 04 March 2023 02:16
> To: secur...@logging.apache.org
> Cc: Paolo Gil Ostrea ; Roark Hamilton 
> ; Gurumoorthi Vijayalingam 
> 
> Subject: [External] Re: Log4j Issue
>
> CAUTION: This message was sent from outside of the company. Please do 
> not click links or open attachments unless you recognize the source of 
> this email and know the content is safe.
>
> Hi
>
> I'm CCing the original author of the message. Please read below.
> Further please consider posting to the proper mailing list. The 
> request is not about a security issue and probably should have been 
> posted to dev@logging.apache.org after 
> subscribing to that mailing list.
>
> Warm regards
> Dominik
> --
> Sent from my phone. Typos are a kind gift to anyone who happens to find them.
>
> On Fri, Mar 3, 2023, 21:17 Piotr P. Karwasz 
> mailto:piotr.karw...@gmail.com>> wrote:
> Gurumoorthi,
>
> On Fri, 3 Mar 2023 at 19:04, Gurumoorthi Vijayalingam 
> mailto:gvijayalin...@simeio.com>> wrote:
>> Just attached the error message and log4j configuration for your reference.
>
> MapLookup#newMap changed from private (as in 2.2) to package (as in
> 2.17.1) in the course of history. Your Tomcat is picking up the 
> private one, which means that log4j-core-2.2.jar is still on the 
> classpath.
> Double check that the old Log4j2 version are no longer there and 
> restart Tomcat to be sure.
>
> Piotr

RE: [External] Re: Log4j Issue

[Gurumoorthi Vijayalingam]

No, am not able to find log4j version in tomcat lib folder. The problem 
occurred when we upgraded the jar files from 2.2 t o2.17


Regards,
Guru.

-Original Message-
From: Christian Grobmeier  
Sent: Friday, April 21, 2023 4:36 PM
To: Gurumoorthi Vijayalingam ; dev@logging.apache.org
Subject: Re: [External] Re: Log4j Issue

CAUTION: This message was sent from outside of the company. Please do not click 
links or open attachments unless you recognize the source of this email and 
know the content is safe.


Hello Gurumoorthi,

please subscribe to dev@logging.apache.org by sending an empty message to 
dev-subscr...@logging.apache.org.
It is hard for our message moderators to manually moderate your messages 
through.

You need to find the log4j version of Tomcat. Please search for this. it could 
be in the lib folder of Tomcat.

You can also search the whole installation of Tomcat for "log4j" or 
"log4j-core-2.2.jar", then you should find it.

Kind regards,
Christian


--
The Apache Software Foundation
V.P., Data Privacy

On Fri, Apr 21, 2023, at 12:51, Gurumoorthi Vijayalingam wrote:
> Any help on this request ? we stuck.
>
> -Original Message-
> From: Gurumoorthi Vijayalingam
> Sent: Thursday, April 13, 2023 7:36 AM
> To: Christian Grobmeier ; dev@logging.apache.org
> Subject: RE: [External] Re: Log4j Issue
>
> Hi Team,
>
> We tried the steps as Christian mentioned in below email, but still 
> getting same error. Please help us to fix this issue
>
> Thanks,
> Guru.
>
> -Original Message-
> From: Christian Grobmeier 
> Sent: Tuesday, March 21, 2023 2:17 AM
> To: Gurumoorthi Vijayalingam ; 
> dev@logging.apache.org
> Cc: Paolo Gil Ostrea ; Roark Hamilton 
> ; Bhavana Pujari ; Sireesha 
> Kutala 
> Subject: Re: [External] Re: Log4j Issue
>
> CAUTION: This message was sent from outside of the company. Please do 
> not click links or open attachments unless you recognize the source of 
> this email and know the content is safe.
>
>
> Hello Gurumoorthi,
>
> Piotr already responded to your email:
>
>> MapLookup#newMap changed from private (as in 2.2) to package (as in
>> 2.17.1) in the course of history. Your Tomcat is picking up the 
>> private one, which means that log4j-core-2.2.jar is still on the 
>> classpath.
>> Double check that the old Log4j2 version are no longer there and 
>> restart Tomcat to be sure.
>>
>> Piotr
>
> If this information does not help you, respond to 
> dev@logging.apache.org as Dominik told you.
>
> Kind regards,
> Christian
>
>
> --
> The Apache Software Foundation
> V.P., Data Privacy
>
> On Mon, Mar 20, 2023, at 17:27, Gurumoorthi Vijayalingam wrote:
>> Hi Team,
>>
>> Can you please help us to fix this issue.
>>
>> Regards,
>> Guru.
>>
>> From: Dominik Psenner 
>> Sent: 04 March 2023 02:16
>> To: secur...@logging.apache.org
>> Cc: Paolo Gil Ostrea ; Roark Hamilton 
>> ; Gurumoorthi Vijayalingam 
>> 
>> Subject: [External] Re: Log4j Issue
>>
>> CAUTION: This message was sent from outside of the company. Please do 
>> not click links or open attachments unless you recognize the source 
>> of this email and know the content is safe.
>>
>> Hi
>>
>> I'm CCing the original author of the message. Please read below.
>> Further please consider posting to the proper mailing list. The 
>> request is not about a security issue and probably should have been 
>> posted to dev@logging.apache.org after 
>> subscribing to that mailing list.
>>
>> Warm regards
>> Dominik
>> --
>> Sent from my phone. Typos are a kind gift to anyone who happens to find them.
>>
>> On Fri, Mar 3, 2023, 21:17 Piotr P. Karwasz 
>> mailto:piotr.karw...@gmail.com>> wrote:
>> Gurumoorthi,
>>
>> On Fri, 3 Mar 2023 at 19:04, Gurumoorthi Vijayalingam 
>> mailto:gvijayalin...@simeio.com>> wrote:
>>> Just attached the error message and log4j configuration for your reference.
>>
>> MapLookup#newMap changed from private (as in 2.2) to package (as in
>> 2.17.1) in the course of history. Your Tomcat is picking up the 
>> private one, which means that log4j-core-2.2.jar is still on the 
>> classpath.
>> Double check that the old Log4j2 version are no longer there and 
>> restart Tomcat to be sure.
>>
>> Piotr

Re: [External] Re: Log4j Issue

[Christian Grobmeier]

Are you deploying your application as a war file? If so, can you unzip that war 
file and search for log4j there?

--
The Apache Software Foundation
V.P., Data Privacy

On Fri, Apr 21, 2023, at 13:21, Gurumoorthi Vijayalingam wrote:
> No, am not able to find log4j version in tomcat lib folder. The problem 
> occurred when we upgraded the jar files from 2.2 t o2.17
>
>
> Regards,
> Guru.
>
> -Original Message-
> From: Christian Grobmeier  
> Sent: Friday, April 21, 2023 4:36 PM
> To: Gurumoorthi Vijayalingam ; 
> dev@logging.apache.org
> Subject: Re: [External] Re: Log4j Issue
>
> CAUTION: This message was sent from outside of the company. Please do 
> not click links or open attachments unless you recognize the source of 
> this email and know the content is safe.
>
>
> Hello Gurumoorthi,
>
> please subscribe to dev@logging.apache.org by sending an empty message 
> to dev-subscr...@logging.apache.org.
> It is hard for our message moderators to manually moderate your 
> messages through.
>
> You need to find the log4j version of Tomcat. Please search for this. 
> it could be in the lib folder of Tomcat.
>
> You can also search the whole installation of Tomcat for "log4j" or 
> "log4j-core-2.2.jar", then you should find it.
>
> Kind regards,
> Christian
>
>
> --
> The Apache Software Foundation
> V.P., Data Privacy
>
> On Fri, Apr 21, 2023, at 12:51, Gurumoorthi Vijayalingam wrote:
>> Any help on this request ? we stuck.
>>
>> -Original Message-
>> From: Gurumoorthi Vijayalingam
>> Sent: Thursday, April 13, 2023 7:36 AM
>> To: Christian Grobmeier ; dev@logging.apache.org
>> Subject: RE: [External] Re: Log4j Issue
>>
>> Hi Team,
>>
>> We tried the steps as Christian mentioned in below email, but still 
>> getting same error. Please help us to fix this issue
>>
>> Thanks,
>> Guru.
>>
>> -Original Message-
>> From: Christian Grobmeier 
>> Sent: Tuesday, March 21, 2023 2:17 AM
>> To: Gurumoorthi Vijayalingam ; 
>> dev@logging.apache.org
>> Cc: Paolo Gil Ostrea ; Roark Hamilton 
>> ; Bhavana Pujari ; Sireesha 
>> Kutala 
>> Subject: Re: [External] Re: Log4j Issue
>>
>> CAUTION: This message was sent from outside of the company. Please do 
>> not click links or open attachments unless you recognize the source of 
>> this email and know the content is safe.
>>
>>
>> Hello Gurumoorthi,
>>
>> Piotr already responded to your email:
>>
>>> MapLookup#newMap changed from private (as in 2.2) to package (as in
>>> 2.17.1) in the course of history. Your Tomcat is picking up the 
>>> private one, which means that log4j-core-2.2.jar is still on the 
>>> classpath.
>>> Double check that the old Log4j2 version are no longer there and 
>>> restart Tomcat to be sure.
>>>
>>> Piotr
>>
>> If this information does not help you, respond to 
>> dev@logging.apache.org as Dominik told you.
>>
>> Kind regards,
>> Christian
>>
>>
>> --
>> The Apache Software Foundation
>> V.P., Data Privacy
>>
>> On Mon, Mar 20, 2023, at 17:27, Gurumoorthi Vijayalingam wrote:
>>> Hi Team,
>>>
>>> Can you please help us to fix this issue.
>>>
>>> Regards,
>>> Guru.
>>>
>>> From: Dominik Psenner 
>>> Sent: 04 March 2023 02:16
>>> To: secur...@logging.apache.org
>>> Cc: Paolo Gil Ostrea ; Roark Hamilton 
>>> ; Gurumoorthi Vijayalingam 
>>> 
>>> Subject: [External] Re: Log4j Issue
>>>
>>> CAUTION: This message was sent from outside of the company. Please do 
>>> not click links or open attachments unless you recognize the source 
>>> of this email and know the content is safe.
>>>
>>> Hi
>>>
>>> I'm CCing the original author of the message. Please read below.
>>> Further please consider posting to the proper mailing list. The 
>>> request is not about a security issue and probably should have been 
>>> posted to dev@logging.apache.org after 
>>> subscribing to that mailing list.
>>>
>>> Warm regards
>>> Dominik
>>> --
>>> Sent from my phone. Typos are a kind gift to anyone who happens to find 
>>> them.
>>>
>>> On Fri, Mar 3, 2023, 21:17 Piotr P. Karwasz 
>>> mailto:piotr.karw...@gmail.com>> wrote:
>>> Gurumoorthi,
>>>
>>> On Fri, 3 Mar 2023 at 19:04, Gurumoorthi Vijayalingam 
>>> mailto:gvijayalin...@simeio.com>> wrote:
 Just attached the error message and log4j configuration for your reference.
>>>
>>> MapLookup#newMap changed from private (as in 2.2) to package (as in
>>> 2.17.1) in the course of history. Your Tomcat is picking up the 
>>> private one, which means that log4j-core-2.2.jar is still on the 
>>> classpath.
>>> Double check that the old Log4j2 version are no longer there and 
>>> restart Tomcat to be sure.
>>>
>>> Piotr

RE: [External] Re: Log4j Issue

[Gurumoorthi Vijayalingam]

No, we are not deploying as war file. And the application /lib currently having 
followed log4j files. 


-rw-r-. 1 fruser fruser   16431 Aug 25  2022 jcl-over-slf4j-1.7.21.jar
-rw-r-. 1 fruser fruser4597 Aug 25  2022 jul-to-slf4j-1.7.21.jar
-rw-r-. 1 fruser fruser   41071 Aug 25  2022 slf4j-api-1.7.21.jar
-rw-r-. 1 fruser fruser   16831 Aug 25  2022 i18n-slf4j-1.4.4.jar
-rwxr-xr-x. 1 fruser fruser  301872 Mar  2 17:28 log4j-api-2.17.1.jar
-rwxr-xr-x. 1 fruser fruser 1790452 Mar  2 17:28 log4j-core-2.17.1.jar

Regards,
Guru.

-Original Message-
From: Christian Grobmeier  
Sent: Friday, April 21, 2023 4:55 PM
To: Gurumoorthi Vijayalingam ; dev@logging.apache.org
Subject: Re: [External] Re: Log4j Issue

CAUTION: This message was sent from outside of the company. Please do not click 
links or open attachments unless you recognize the source of this email and 
know the content is safe.


Are you deploying your application as a war file? If so, can you unzip that war 
file and search for log4j there?

--
The Apache Software Foundation
V.P., Data Privacy

On Fri, Apr 21, 2023, at 13:21, Gurumoorthi Vijayalingam wrote:
> No, am not able to find log4j version in tomcat lib folder. The 
> problem occurred when we upgraded the jar files from 2.2 t o2.17
>
>
> Regards,
> Guru.
>
> -Original Message-
> From: Christian Grobmeier 
> Sent: Friday, April 21, 2023 4:36 PM
> To: Gurumoorthi Vijayalingam ; 
> dev@logging.apache.org
> Subject: Re: [External] Re: Log4j Issue
>
> CAUTION: This message was sent from outside of the company. Please do 
> not click links or open attachments unless you recognize the source of 
> this email and know the content is safe.
>
>
> Hello Gurumoorthi,
>
> please subscribe to dev@logging.apache.org by sending an empty message 
> to dev-subscr...@logging.apache.org.
> It is hard for our message moderators to manually moderate your 
> messages through.
>
> You need to find the log4j version of Tomcat. Please search for this.
> it could be in the lib folder of Tomcat.
>
> You can also search the whole installation of Tomcat for "log4j" or 
> "log4j-core-2.2.jar", then you should find it.
>
> Kind regards,
> Christian
>
>
> --
> The Apache Software Foundation
> V.P., Data Privacy
>
> On Fri, Apr 21, 2023, at 12:51, Gurumoorthi Vijayalingam wrote:
>> Any help on this request ? we stuck.
>>
>> -Original Message-
>> From: Gurumoorthi Vijayalingam
>> Sent: Thursday, April 13, 2023 7:36 AM
>> To: Christian Grobmeier ; 
>> dev@logging.apache.org
>> Subject: RE: [External] Re: Log4j Issue
>>
>> Hi Team,
>>
>> We tried the steps as Christian mentioned in below email, but still 
>> getting same error. Please help us to fix this issue
>>
>> Thanks,
>> Guru.
>>
>> -Original Message-
>> From: Christian Grobmeier 
>> Sent: Tuesday, March 21, 2023 2:17 AM
>> To: Gurumoorthi Vijayalingam ; 
>> dev@logging.apache.org
>> Cc: Paolo Gil Ostrea ; Roark Hamilton 
>> ; Bhavana Pujari ; 
>> Sireesha Kutala 
>> Subject: Re: [External] Re: Log4j Issue
>>
>> CAUTION: This message was sent from outside of the company. Please do 
>> not click links or open attachments unless you recognize the source 
>> of this email and know the content is safe.
>>
>>
>> Hello Gurumoorthi,
>>
>> Piotr already responded to your email:
>>
>>> MapLookup#newMap changed from private (as in 2.2) to package (as in
>>> 2.17.1) in the course of history. Your Tomcat is picking up the 
>>> private one, which means that log4j-core-2.2.jar is still on the 
>>> classpath.
>>> Double check that the old Log4j2 version are no longer there and 
>>> restart Tomcat to be sure.
>>>
>>> Piotr
>>
>> If this information does not help you, respond to 
>> dev@logging.apache.org as Dominik told you.
>>
>> Kind regards,
>> Christian
>>
>>
>> --
>> The Apache Software Foundation
>> V.P., Data Privacy
>>
>> On Mon, Mar 20, 2023, at 17:27, Gurumoorthi Vijayalingam wrote:
>>> Hi Team,
>>>
>>> Can you please help us to fix this issue.
>>>
>>> Regards,
>>> Guru.
>>>
>>> From: Dominik Psenner 
>>> Sent: 04 March 2023 02:16
>>> To: secur...@logging.apache.org
>>> Cc: Paolo Gil Ostrea ; Roark Hamilton 
>>> ; Gurumoorthi Vijayalingam 
>>> 
>>> Subject: [External] Re: Log4j Issue
>>>
>>> CAUTION: This message was sent from outside of the company. Please 
>>> do not click links or open attachments unless you recognize the 
>>> source of this email and know the content is safe.
>>>
>>> Hi
>>>
>>> I'm CCing the original author of the message. Please read below.
>>> Further please consider posting to the proper mailing list. The 
>>> request is not about a security issue and probably should have been 
>>> posted to dev@logging.apache.org 
>>> after subscribing to that mailing list.
>>>
>>> Warm regards
>>> Dominik
>>> --
>>> Sent from my phone. Typos are a kind gift to anyone who happens to find 
>>> them.
>>>
>>> On Fri, Mar 3, 2023, 21:17 Piotr P. Karwasz 
>>> mailto:piotr.karw...@gmail.com>> wrot

RE: CVE-2023-26464: Apache Log4j 1.x (EOL) allows DoS in Chainsaw and SocketAppender

[Marián Konček]

Would it be possible to provide more details of concerned classes which 
cause the DDOS or give an example how to reproduce this?


On 2023/03/10 13:37:22 Arnout Engelen wrote:
> Severity: low
>
> Description:
>
> ** UNSUPPORTED WHEN ASSIGNED **
>
> When using the Chainsaw or SocketAppender components with Log4j 1.x 
on JRE less than 1.7, an attacker that manages to cause a logging entry 
involving a specially-crafted (ie, deeply nested)
> hashmap or hashtable (depending on which logging component is in use) 
to be processed could exhaust the available memory in the virtual 
machine and achieve Denial of Service when the object is deserialized.

>
> This issue affects Apache Log4j before 2. Affected users are 
recommended to update to Log4j 2.x.

>
> NOTE: This vulnerability only affects products that are no longer 
supported by the maintainer.

>
> Credit:
>
> Garrett Tucker of Red Hat (reporter)
>
> References:
>
> https://logging.apache.org/
> https://www.cve.org/CVERecord?id=CVE-2023-26464
>
>

--
Marián Konček

Re: Formatting changes in Log4j

[Volkan Yazıcı]

+1

On Tue, Apr 18, 2023 at 11:29 PM Piotr P. Karwasz 
wrote:

> Hi all,
>
> As discussed during Sunday's meeting, in the following weeks I would
> like to perform these cleanup jobs on our repos:
>
> 1. On Friday evening: merge
> https://github.com/apache/logging-parent/pull/10 and publish
> `logging-parent`. This contains a basic Spotless configuration for
> Java, XML, POM and YAML files. Summarizing:
>
> * These files must use LF for the build to succeed. I will add to each
> repo a `.gitattributes` file roughly equivalent to a
> `core.autocrlf=input` setting.
> * Trailing space will be removed,
> * Files end with a new line,
> * A header like in
> https://www.apache.org/legal/src-headers.html#headers is used, but
> rewrapped to limit the amount of changes necessary. The header is
> indented using ' * ' for Java, '  ~ ' for XML and '# ' for YAML.
>
> In Java files:
>
> * indenting tabs will be replaced with 4 spaces,
> * imports will be grouped into `java`, `javax`, `jakarta`, everything
> else and sorted. On Eclipse I have a small problem with sorting:
> Eclipse sorts using the English (or maybe local), Spotless uses
> `String.compareTo`. I think it will not cause too many problems. I
> don't know how it works on IDEA,
>
> The main elements of POM files will be sorted, but no sorting inside
> those elements (e.g. no sorting for dependencies).
>
> 2. When `logging-parent` is published PRs will be created in
> `l-log4j2`, `l-l-transform` and `l-l-tools`. These will probably be
> huge (50k lines), but hopefully verifiable with `git diff`,
>
> 3. I'll apply the 4 "Finalize" recipes from OpenRewrite:
> https://docs.openrewrite.org/reference/recipes/java/cleanup.
>
> 4. Back to some useful work (releasing `l-l-transform` and checking
> `main` for regressions).
>
> If you have a strong feeling against these rules, please express them
> in this thread. I mostly need them to avoid distractions when
> comparing `2.x` with `main`.
>
> Piotr
>

Re: CVE-2023-26464: Apache Log4j 1.x (EOL) allows DoS in Chainsaw and SocketAppender

[Ralph Goers]

No, the details in the CVE should be enough for you to determine that. We 
simply looked at the source code and determined what the reporter found was 
correct.

Note that Log4j 1.x reached end-of-life in 2015. No one on the Apache Logging 
Services project has worked with it for many years.

Ralph

> On Apr 21, 2023, at 5:52 AM, Marián Konček  wrote:
> 
> Would it be possible to provide more details of concerned classes which cause 
> the DDOS or give an example how to reproduce this?
> 
> On 2023/03/10 13:37:22 Arnout Engelen wrote:
> > Severity: low
> >
> > Description:
> >
> > ** UNSUPPORTED WHEN ASSIGNED **
> >
> > When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE 
> > less than 1.7, an attacker that manages to cause a logging entry involving 
> > a specially-crafted (ie, deeply nested)
> > hashmap or hashtable (depending on which logging component is in use) to be 
> > processed could exhaust the available memory in the virtual machine and 
> > achieve Denial of Service when the object is deserialized.
> >
> > This issue affects Apache Log4j before 2. Affected users are recommended to 
> > update to Log4j 2.x.
> >
> > NOTE: This vulnerability only affects products that are no longer supported 
> > by the maintainer.
> >
> > Credit:
> >
> > Garrett Tucker of Red Hat (reporter)
> >
> > References:
> >
> > https://logging.apache.org/
> > https://www.cve.org/CVERecord?id=CVE-2023-26464
> >
> >
> 
> -- 
> Marián Konček
> 

Re: CVE-2023-26464: Apache Log4j 1.x (EOL) allows DoS in Chainsaw and SocketAppender

[Ceki Gülcü]

Hi Marian,

This CVE was analyzed within the context of the the reload4j project. It
was deemed as not a serious or practical threat as its attack surface as
it pertains to log4j 1.x is vanishingly small [1].

The reload4j project is a fork of Apache log4j version 1.2.17 with the
goal of fixing pressing security issues. Reload4j is a binary
compatible, drop-in replacement for log4j version 1.2.17. By drop-in, we
mean that you can replace log4j.jar with reload4j.jar in your build with
no source code changes, no recompilation, nor rebuild being necessary.

Best regards,

[1] https://github.com/qos-ch/reload4j/issues/63

On 4/21/2023 2:52 PM, Marián Konček wrote:
> Would it be possible to provide more details of concerned classes which
> cause the DDOS or give an example how to reproduce this?
> 
> On 2023/03/10 13:37:22 Arnout Engelen wrote:
>> Severity: low
>>
>> Description:
>>
>> ** UNSUPPORTED WHEN ASSIGNED **
>>
>> When using the Chainsaw or SocketAppender components with Log4j 1.x on
> JRE less than 1.7, an attacker that manages to cause a logging entry
> involving a specially-crafted (ie, deeply nested)
>> hashmap or hashtable (depending on which logging component is in use)
> to be processed could exhaust the available memory in the virtual
> machine and achieve Denial of Service when the object is deserialized.
>>
>> This issue affects Apache Log4j before 2. Affected users are
> recommended to update to Log4j 2.x.
>>
>> NOTE: This vulnerability only affects products that are no longer
> supported by the maintainer.
>>
>> Credit:
>>
>> Garrett Tucker of Red Hat (reporter)
>>
>> References:
>>
>> https://logging.apache.org/
>> https://www.cve.org/CVERecord?id=CVE-2023-26464
>>
>>
> 

-- 
Ceki Gülcü

Sponsoring SLF4J/logback/reload4j at https://github.com/sponsors/qos-ch

[LAZY][VOTE] Release Logging Parent POM version 9

[Piotr P. Karwasz]

This is a lazy vote to release logging-parent 9. This vote is open for
72 hours and will pass unless getting a net negative vote count.

Release notes:

* A default Spotless configuration has been added for Java, POM, XML
and YAML files.

Staging repo:
https://repository.apache.org/content/repositories/orgapachelogging-1101

POM file:
https://repository.apache.org/content/repositories/orgapachelogging-1101/org/apache/logging/logging-parent/9/logging-parent-9.pom

All relevant files:
- 
https://repository.apache.org/content/repositories/orgapachelogging-1101/org/apache/logging/logging-parent/9/logging-parent-9-source-release.zip
- 
https://repository.apache.org/content/repositories/orgapachelogging-1101/org/apache/logging/logging-parent/9/logging-parent-9-source-release.zip.asc
- 
https://repository.apache.org/content/repositories/orgapachelogging-1101/org/apache/logging/logging-parent/9/logging-parent-9-source-release.zip.sha512
- 
https://repository.apache.org/content/repositories/orgapachelogging-1101/org/apache/logging/logging-parent/9/logging-parent-9.pom
- 
https://repository.apache.org/content/repositories/orgapachelogging-1101/org/apache/logging/logging-parent/9/logging-parent-9.pom.asc

Git URL:
https://gitbox.apache.org/repos/asf/logging-parent.git

Tag:
logging-parent-9

Keys file:
https://downloads.apache.org/logging/KEYS

Release signed with keyid 04B44C056663906446B77A6D89F11DC191AA7042

Countdown:
https://www.timeanddate.com/countdown/vote?iso=20230424T2145&p0=4162&font=cursive&csz=1

Piotr

Re: [External] Re: Log4j Issue

[Christian Grobmeier]

Hello Guru,

the only way to have this issue is with an outdated version of log4j on your 
classpath.
Can you check what classpath is being used in your container? There may be an 
additional classpath that we are not aware of.

Could you let us know the full setup of your machine, in example: 
- exact version of tomcat
- how do you deploy things
- have you probably included log4j in other components (fat jar)
- what is the classpath definition of your application?

I know this is many things to ask, but the assumption is still there are two 
different versions of log4j on your classpath. That's what I would check.

Kind regards,
Christian
 

On Fri, Apr 21, 2023, at 13:53, Gurumoorthi Vijayalingam wrote:
> No, we are not deploying as war file. And the application /lib 
> currently having followed log4j files. 
>
>
> -rw-r-. 1 fruser fruser   16431 Aug 25  2022 jcl-over-slf4j-1.7.21.jar
> -rw-r-. 1 fruser fruser4597 Aug 25  2022 jul-to-slf4j-1.7.21.jar
> -rw-r-. 1 fruser fruser   41071 Aug 25  2022 slf4j-api-1.7.21.jar
> -rw-r-. 1 fruser fruser   16831 Aug 25  2022 i18n-slf4j-1.4.4.jar
> -rwxr-xr-x. 1 fruser fruser  301872 Mar  2 17:28 log4j-api-2.17.1.jar
> -rwxr-xr-x. 1 fruser fruser 1790452 Mar  2 17:28 log4j-core-2.17.1.jar
>
> Regards,
> Guru.
>
> -Original Message-
> From: Christian Grobmeier  
> Sent: Friday, April 21, 2023 4:55 PM
> To: Gurumoorthi Vijayalingam ; 
> dev@logging.apache.org
> Subject: Re: [External] Re: Log4j Issue
>
> CAUTION: This message was sent from outside of the company. Please do 
> not click links or open attachments unless you recognize the source of 
> this email and know the content is safe.
>
>
> Are you deploying your application as a war file? If so, can you unzip 
> that war file and search for log4j there?
>
> --
> The Apache Software Foundation
> V.P., Data Privacy
>
> On Fri, Apr 21, 2023, at 13:21, Gurumoorthi Vijayalingam wrote:
>> No, am not able to find log4j version in tomcat lib folder. The 
>> problem occurred when we upgraded the jar files from 2.2 t o2.17
>>
>>
>> Regards,
>> Guru.
>>
>> -Original Message-
>> From: Christian Grobmeier 
>> Sent: Friday, April 21, 2023 4:36 PM
>> To: Gurumoorthi Vijayalingam ; 
>> dev@logging.apache.org
>> Subject: Re: [External] Re: Log4j Issue
>>
>> CAUTION: This message was sent from outside of the company. Please do 
>> not click links or open attachments unless you recognize the source of 
>> this email and know the content is safe.
>>
>>
>> Hello Gurumoorthi,
>>
>> please subscribe to dev@logging.apache.org by sending an empty message 
>> to dev-subscr...@logging.apache.org.
>> It is hard for our message moderators to manually moderate your 
>> messages through.
>>
>> You need to find the log4j version of Tomcat. Please search for this.
>> it could be in the lib folder of Tomcat.
>>
>> You can also search the whole installation of Tomcat for "log4j" or 
>> "log4j-core-2.2.jar", then you should find it.
>>
>> Kind regards,
>> Christian
>>
>>
>> --
>> The Apache Software Foundation
>> V.P., Data Privacy
>>
>> On Fri, Apr 21, 2023, at 12:51, Gurumoorthi Vijayalingam wrote:
>>> Any help on this request ? we stuck.
>>>
>>> -Original Message-
>>> From: Gurumoorthi Vijayalingam
>>> Sent: Thursday, April 13, 2023 7:36 AM
>>> To: Christian Grobmeier ; 
>>> dev@logging.apache.org
>>> Subject: RE: [External] Re: Log4j Issue
>>>
>>> Hi Team,
>>>
>>> We tried the steps as Christian mentioned in below email, but still 
>>> getting same error. Please help us to fix this issue
>>>
>>> Thanks,
>>> Guru.
>>>
>>> -Original Message-
>>> From: Christian Grobmeier 
>>> Sent: Tuesday, March 21, 2023 2:17 AM
>>> To: Gurumoorthi Vijayalingam ; 
>>> dev@logging.apache.org
>>> Cc: Paolo Gil Ostrea ; Roark Hamilton 
>>> ; Bhavana Pujari ; 
>>> Sireesha Kutala 
>>> Subject: Re: [External] Re: Log4j Issue
>>>
>>> CAUTION: This message was sent from outside of the company. Please do 
>>> not click links or open attachments unless you recognize the source 
>>> of this email and know the content is safe.
>>>
>>>
>>> Hello Gurumoorthi,
>>>
>>> Piotr already responded to your email:
>>>
 MapLookup#newMap changed from private (as in 2.2) to package (as in
 2.17.1) in the course of history. Your Tomcat is picking up the 
 private one, which means that log4j-core-2.2.jar is still on the 
 classpath.
 Double check that the old Log4j2 version are no longer there and 
 restart Tomcat to be sure.

 Piotr
>>>
>>> If this information does not help you, respond to 
>>> dev@logging.apache.org as Dominik told you.
>>>
>>> Kind regards,
>>> Christian
>>>
>>>
>>> --
>>> The Apache Software Foundation
>>> V.P., Data Privacy
>>>
>>> On Mon, Mar 20, 2023, at 17:27, Gurumoorthi Vijayalingam wrote:
 Hi Team,

 Can you please help us to fix this issue.

 Regards,
 Guru.

 From: Dominik Psenner 
 Sent: 04 March 2023 02:16
 To: secur...@logging.apache.o

Difference between log4j-1.2.9.jar and log4j-1.2.9-1.0.jar

[Jagdale, Mitali]

Hello Apache Dev Team,

Situation: Both the libraries log4j-1.2.9.jar and log4j-1.2.9-1.0.jar are 
getting flagged on the same server.

Question: If possible, I was wondering if you could provide some technical 
insight on the difference between both of the libraries.

Moreover, please feel to point me towards any link as well that can help 
clarify my question. Thank you.

Sincerely,
Mitali

This message (including any attachments) contains confidential information 
intended for a specific individual and purpose, and is protected by law. If you 
are not the intended recipient, you should delete this message and any 
disclosure, copying, or distribution of this message, or the taking of any 
action based on it, by you is strictly prohibited.

Deloitte refers to a Deloitte member firm, one of its related entities, or 
Deloitte Touche Tohmatsu Limited ("DTTL"). Each Deloitte member firm is a 
separate legal entity and a member of DTTL. DTTL does not provide services to 
clients. Please see www.deloitte.com/about to learn more.

v.E.1

Re: [External] Re: Log4j Issue

[Ralph Goers]

Note that he may also have a shaded jar that has Log4j embedded in it. That 
would be impossible for us to know without personally inspecting the deployment.

Ralph

> On Apr 21, 2023, at 12:51 PM, Christian Grobmeier  
> wrote:
> 
> Hello Guru,
> 
> the only way to have this issue is with an outdated version of log4j on your 
> classpath.
> Can you check what classpath is being used in your container? There may be an 
> additional classpath that we are not aware of.
> 
> Could you let us know the full setup of your machine, in example: 
> - exact version of tomcat
> - how do you deploy things
> - have you probably included log4j in other components (fat jar)
> - what is the classpath definition of your application?
> 
> I know this is many things to ask, but the assumption is still there are two 
> different versions of log4j on your classpath. That's what I would check.
> 
> Kind regards,
> Christian
> 
> 
> On Fri, Apr 21, 2023, at 13:53, Gurumoorthi Vijayalingam wrote:
>> No, we are not deploying as war file. And the application /lib 
>> currently having followed log4j files. 
>> 
>> 
>> -rw-r-. 1 fruser fruser   16431 Aug 25  2022 jcl-over-slf4j-1.7.21.jar
>> -rw-r-. 1 fruser fruser4597 Aug 25  2022 jul-to-slf4j-1.7.21.jar
>> -rw-r-. 1 fruser fruser   41071 Aug 25  2022 slf4j-api-1.7.21.jar
>> -rw-r-. 1 fruser fruser   16831 Aug 25  2022 i18n-slf4j-1.4.4.jar
>> -rwxr-xr-x. 1 fruser fruser  301872 Mar  2 17:28 log4j-api-2.17.1.jar
>> -rwxr-xr-x. 1 fruser fruser 1790452 Mar  2 17:28 log4j-core-2.17.1.jar
>> 
>> Regards,
>> Guru.
>> 
>> -Original Message-
>> From: Christian Grobmeier  
>> Sent: Friday, April 21, 2023 4:55 PM
>> To: Gurumoorthi Vijayalingam ; 
>> dev@logging.apache.org
>> Subject: Re: [External] Re: Log4j Issue
>> 
>> CAUTION: This message was sent from outside of the company. Please do 
>> not click links or open attachments unless you recognize the source of 
>> this email and know the content is safe.
>> 
>> 
>> Are you deploying your application as a war file? If so, can you unzip 
>> that war file and search for log4j there?
>> 
>> --
>> The Apache Software Foundation
>> V.P., Data Privacy
>> 
>> On Fri, Apr 21, 2023, at 13:21, Gurumoorthi Vijayalingam wrote:
>>> No, am not able to find log4j version in tomcat lib folder. The 
>>> problem occurred when we upgraded the jar files from 2.2 t o2.17
>>> 
>>> 
>>> Regards,
>>> Guru.
>>> 
>>> -Original Message-
>>> From: Christian Grobmeier 
>>> Sent: Friday, April 21, 2023 4:36 PM
>>> To: Gurumoorthi Vijayalingam ; 
>>> dev@logging.apache.org
>>> Subject: Re: [External] Re: Log4j Issue
>>> 
>>> CAUTION: This message was sent from outside of the company. Please do 
>>> not click links or open attachments unless you recognize the source of 
>>> this email and know the content is safe.
>>> 
>>> 
>>> Hello Gurumoorthi,
>>> 
>>> please subscribe to dev@logging.apache.org by sending an empty message 
>>> to dev-subscr...@logging.apache.org.
>>> It is hard for our message moderators to manually moderate your 
>>> messages through.
>>> 
>>> You need to find the log4j version of Tomcat. Please search for this.
>>> it could be in the lib folder of Tomcat.
>>> 
>>> You can also search the whole installation of Tomcat for "log4j" or 
>>> "log4j-core-2.2.jar", then you should find it.
>>> 
>>> Kind regards,
>>> Christian
>>> 
>>> 
>>> --
>>> The Apache Software Foundation
>>> V.P., Data Privacy
>>> 
>>> On Fri, Apr 21, 2023, at 12:51, Gurumoorthi Vijayalingam wrote:
 Any help on this request ? we stuck.
 
 -Original Message-
 From: Gurumoorthi Vijayalingam
 Sent: Thursday, April 13, 2023 7:36 AM
 To: Christian Grobmeier ; 
 dev@logging.apache.org
 Subject: RE: [External] Re: Log4j Issue
 
 Hi Team,
 
 We tried the steps as Christian mentioned in below email, but still 
 getting same error. Please help us to fix this issue
 
 Thanks,
 Guru.
 
 -Original Message-
 From: Christian Grobmeier 
 Sent: Tuesday, March 21, 2023 2:17 AM
 To: Gurumoorthi Vijayalingam ; 
 dev@logging.apache.org
 Cc: Paolo Gil Ostrea ; Roark Hamilton 
 ; Bhavana Pujari ; 
 Sireesha Kutala 
 Subject: Re: [External] Re: Log4j Issue
 
 CAUTION: This message was sent from outside of the company. Please do 
 not click links or open attachments unless you recognize the source 
 of this email and know the content is safe.
 
 
 Hello Gurumoorthi,
 
 Piotr already responded to your email:
 
> MapLookup#newMap changed from private (as in 2.2) to package (as in
> 2.17.1) in the course of history. Your Tomcat is picking up the 
> private one, which means that log4j-core-2.2.jar is still on the 
> classpath.
> Double check that the old Log4j2 version are no longer there and 
> restart Tomcat to be sure.
> 
> Piotr
 
 If this information does not help you, respond

Re: [External] Re: Log4j Issue

[Piotr P. Karwasz]

Hi all,

On Sat, 22 Apr 2023 at 01:02, Ralph Goers  wrote:
>
> Note that he may also have a shaded jar that has Log4j embedded in it. That 
> would be impossible for us to know without personally inspecting the 
> deployment.

That's something that can be discovered with a shell script like this:

find -iname '*.jar' -print0 | while IFS= read -d '' file; do if unzip
-t "$file" | grep -q org/apache/logging/log4j; then echo $file; fi;
done

This might contain bash-specific options, but should work on a GNU
Linux distribution or on Windows with the MSys2 distribution (e.g.
from Git for Windows).

Piotr