Uploaded image for project: 'SLF4J'
  1. SLF4J
  2. SLF4J-491

Deprecate or remove slf4j-log4j12

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Implementations
    • Labels:
      None

      Description

      http://logging.apache.org/log4j/1.2/index.html states that log4j 1.2 has an unresolved security hole (unvalidated deserialization, remotely exploitable without authorization).
      Java 9 having a different version string format broke log4j's version string parsing, introducing bugs into its MDC implementation, but that's much less important.

      Options for the documentation:

      1. Add a warning to the SLF4J manual that slf4j-log4j12 should not be used anymore.
      2. Remove mentions of slf4j-log4j12 entirely.

      Options for the code:

      Since slf4j-log4j12 cannot be removed from Maven repositories, a new version that warns about the issue should be released:

      1. Make it output an ERROR, stating "log4j 1.2 has an unfixed security hole; your application can be hacked by anybody with network access (CVE-2019-17571). Migrate to another logging backend as soon as possible."
      2. As above, but make it abort startup. (That's probably too much, there could be edge cases where an organization cannot migrate and cannot downgrade back to a previous, working slkf4j-log4j12.)

        Attachments

          Activity

            People

            Assignee:
            slf4j-dev SLF4J developers list
            Reporter:
            toolforger Joachim Durchholz
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: