Announcement

Collapse
No announcement yet.
X
Collapse
  • Page of 1
  • Filter
  • Time
Clear All
new posts
Previous template Next
    #1

    Log4j 2

    Hi Isomorphic,

    Do you have any plans to remove the dependency on log4j 1.x (EOL August 5, 2015) and either a) switch to a default slf4j bridge configuration out-of-the-box or b) upgrade the dependency to log4j 2.15+?

    Regards
    Tags: None
    #2
    We did find this post here.

    https://forums.smartclient.com/forum...-outdated-jars

    Is there any change or update to:
    We will be updating to log4j2, but not for 12.1.
    .

    Thank you

    Comment

      #3
      Originally posted by Isomorphic View Post
      We will be updating to log4j2, but not for 12.1.

      You already have the ability to use whatever logging framework you want, and log4j is not the kind of library that suddenly has security issues, so there is little urgency here.
      I think your position may have changed: Have you seen this : https://unit42.paloaltonetworks.com/...ve-2021-44228/ ?


      Our company wants our distributions, currently 12.1 based, to remove the log4j dependencies from our builds asap. Can you comment? How do we remove the log4j package?

      ​​​​​​​

      Comment

        #4
        Please see this thread.

        In a nutshell, you are not vulnerable to the current log4j 2.x vulnerability specifically because we have chosen to stay on log4j 1.x so far.

        And you are not vulnerable to the log4j 1.x vulnerabilities because they do not apply to SmartClient’s usage.

        Given that there is no vulnerability to fix, we do not plan to rush out changes to existing releases.

        We do still plan to eliminate the log4j 1.0 dependency, but as we’ve previously covered, this is a mild inconvenience, not a security problem.

        We would like to take this opportunity to point out that the same people who have been very vocal about getting off of log4j 1.0 are now rushing to patch a zero day in the library they insisted should be used for security reasons..

        Comment

          #5
          Hi Isomorphic,

          the point is the EOL of log4j, which is also a security point, at least for customers.

          Best Regards

          Comment

            #6
            Yes, EOL is sometimes perceived as insecure, but the reality was different in this case.

            See above - you can already use log4j 2.0 if you want. Just make sure you use a patched version.

            Comment

              #7
              The point is, our customers are more and more interested in the libraries used by our software. And libs with state EOL are not welcome and should be replaced.
              Theoretically I can exclude log4j but then the webserver does not start anymore when I load isomorphic resources. So the log4j library must be always part of our delivery even I don't want to use it.
              This exception is thown while starting GWT DevMode:
              [WARNING] TraceLoggerFactory found: com.siemens.ilf.trace.Log4j2LoggerFactory
              [INFO] ISC: ERROR: Unable to configure log4j - logging may not be available.
              [INFO] java.lang.NoClassDefFoundError: org/apache/log4j/Logger
              [INFO] at com.isomorphic.log.Logger.<clinit>(Logger.java:158)
              [INFO] at com.isomorphic.io.ISCFile.<clinit>(ISCFile.java:92)
              [INFO] at com.isomorphic.base.InitListener.oneTimeIdempotentInit(InitListener.java:95)
              [INFO] at com.isomorphic.base.InitListener.contextInitialized(InitListener.java:91)
              [INFO] at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:1067)
              [INFO] at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:572)
              [INFO] at org.eclipse.jetty.server.handler.ContextHandler.contextInitialized(ContextHandler.java:996)
              [INFO] at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:746)
              [INFO] at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:379)
              [INFO] at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1449)
              [INFO] at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1414)
              [INFO] at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:910)
              [INFO] at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:288)
              [INFO] at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:524)
              [INFO] at com.google.gwt.dev.shell.jetty.JettyLauncher$WebAppContextWithReload.doStart(JettyLauncher.java:550)
              [INFO] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
              [INFO] at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
              [INFO] at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
              [INFO] at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
              [INFO] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
              [INFO] at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
              [INFO] at org.eclipse.jetty.server.Server.start(Server.java:423)
              [INFO] at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
              [INFO] at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
              [INFO] at org.eclipse.jetty.server.Server.doStart(Server.java:387)
              [INFO] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
              [INFO] at com.google.gwt.dev.shell.jetty.JettyLauncher.start(JettyLauncher.java:760)
              [INFO] at com.google.gwt.dev.DevMode.doStartUpServer(DevMode.java:636)
              [INFO] at com.google.gwt.dev.DevModeBase.startUp(DevModeBase.java:923)
              [INFO] at com.google.gwt.dev.DevModeBase.run(DevModeBase.java:706)
              [INFO] at com.google.gwt.dev.DevMode.main(DevMode.java:432)

              In web.xml I confgured these parts:
              <listener>
              <listener-class>com.isomorphic.base.InitListener</listener-class>
              </listener>

              <servlet>
              <servlet-name>DataSourceLoader</servlet-name>
              <servlet-class>com.isomorphic.servlet.DataSourceLoader</servlet-class>
              </servlet>
              <servlet-mapping>
              <servlet-name>DataSourceLoader</servlet-name>
              <url-pattern>/webui/sc/DataSourceLoader</url-pattern>
              </servlet-mapping>


              <!-- The IDACall servlet handles all Built-in DataSource operations -->
              <servlet>
              <servlet-name>IDACall</servlet-name>
              <servlet-class>com.isomorphic.servlet.IDACall</servlet-class>
              </servlet>
              <!-- RPCManager uses this URL by default for Built-in DataSource operations -->
              <servlet-mapping>
              <servlet-name>IDACall</servlet-name>
              <url-pattern>/webui/sc/IDACall/*</url-pattern>
              </servlet-mapping>

              The same setting works fine when log4j jar is available.
              It will be very helpful if log4j jar will be optional.
              Last edited by thonsmgwtandr; 21 Dec 2021, 08:46.

              Comment

                #8
                This has been covered several times:

                Log4j 1.0 is currently required as a runtime dependency, even if not actually used, because of JVM limitations. This will be addressed in a future release.

                There is no vulnerability.

                You do not have to use EOL software.

                If we had been more aggressive in upgrading libs, you would be dealing with a zero-day exploit right now.

                Comment

                  #9
                  Note that we do understand that, at a large company like yours, sometimes there is an IT department that just has a policy and no amount of explanation can change it.

                  There is a process for getting a change like this expedited: Feature Sponsorship.

                  This is also the kind of thing we'd expedite for someone with support, however, your purchasing department bought our cheapest grade of license (the one intended for cash-strapped startups!) and then declined support.

                  If you need to be able to come to us with the problems of a large enterprise - like non-functional changes that need to be made because of an intractable corporate policy - then please establish the appropriate enterprise relationship first.

                  Comment

                  Previous template Next
                  Working...
                  X