No announcement yet.
  • Filter
  • Time
Clear All
new posts

    Log4j 1.x migration to log4j2.x latest

    Hi Team,

    We are using smart client v 12.1 which is shipping log4j1.2.17.jar which is really old and there are some security concern around it. So we are looking to remove the usage of log4j1.x jar and migrate to log4j2.x jar, so need your help to understand the same.

    1. Are there any plans to upgrade the log4j1.x to log4j2.x in future smart client releases, If yes can you please provide which release we can expect this change
    2. Is log4j1.x shipped by smart client 12.1 is tightly coupled.? or is it fine to replace it with log4j 2.x and will it work seamlessly without causing any regression?

    Thanks in Advance!


    There are no vulnerabilities in log4j 1.0 that apply to SmartClient's usage.

    See the Server Logging overview for how to use log4j 2.0 via slf4j.

    We will likely switch the default logging system next release. However note, if we had done so earlier, you would be dealing with a zero-day exploit in log4j 2.0. Sometimes it's better to stick with what works..


      Thanks for the quick response,

      ----See the Server Logging overview for how to use log4j 2.0 via slf4j.
      You mean that we can replace log4j1.x and make use of slf4j and it will not impact anything on smart client side.? can you please share if there are any document around it.

      Can you please share the next release timeliness and for which version of log4j it is planned to upgrade.? and are we completely removing log4j-1.x, please confirm



        Sorry, we're not sure what you mean - SmartClient logs to whatever framework you configure, and by directing you to the Server Logging overview, we have already provided the documentation - remember the reference is searchable, so, here is the Server Logging overview we referred you to:

        For your other question, as we indicated: "We will likely switch the default logging system next release". Again this has no impact on you - you can change which framework you log to right now, if you want, and there is no security issue with either log4j 1.0 or 2.0. But if there is still something you want here, the Feature Sponsorship program allows you to get commitments on changes you want in the product.