Uploaded image for project: 'SLF4J'
  1. SLF4J
  2. SLF4J-491

Deprecate or remove slf4j-log4j12

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Implementations
    • Labels:
      None

      Description

      http://logging.apache.org/log4j/1.2/index.html states that log4j 1.2 has an unresolved security hole (unvalidated deserialization, remotely exploitable without authorization).
      Java 9 having a different version string format broke log4j's version string parsing, introducing bugs into its MDC implementation, but that's much less important.

      Options for the documentation:

      1. Add a warning to the SLF4J manual that slf4j-log4j12 should not be used anymore.
      2. Remove mentions of slf4j-log4j12 entirely.

      Options for the code:

      Since slf4j-log4j12 cannot be removed from Maven repositories, a new version that warns about the issue should be released:

      1. Make it output an ERROR, stating "log4j 1.2 has an unfixed security hole; your application can be hacked by anybody with network access (CVE-2019-17571). Migrate to another logging backend as soon as possible."
      2. As above, but make it abort startup. (That's probably too much, there could be edge cases where an organization cannot migrate and cannot downgrade back to a previous, working slkf4j-log4j12.)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              slf4j-dev SLF4J developers list
              Reporter:
              toolforger Joachim Durchholz
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: