Reload4j

Reload4j ^[1] was created by the original author of log4j 1.x, Ceki Gülcü. Reload4j is a fork of log4j version 1.2.17. It preserves the same java package name space, in this case "org.apache.log4j". However, for reasons of trademark protection, it is published under the "ch.qos.reload4j" groupId^[2] in Apache Maven Central. It can be thus considered as a drop-in replacement for log4j.

The aim of the reload4j project is to provide a migration path to those users wishing to correct log4j 1.x security issues. For many companies this is a requirement by the FTC.^[3] Upgrading to a newer version of log4j 1.x is not possible since the project has been declared EOL ^[4] by the Apache Software Foundation. This decision was reaffirmed in 2022.^[5] Moreover, log4j 2.x has a considerably different API and configuration style.

Corrected common vulnerabilities and exposures (CVE)

Reload4j fixes the following vulnerabilities:

CVE-2021-4104^[6]
CVE-2019-17571^[7]

First release

Version 1.2.8.0 of reload4j was released on January the 12th, 2022 and is available for public consumption.

slf4j-reload4j module

Subsequently, the SLF4J project has released SLF4J version 1.7.33^[8] with support for reload4j via the slf4j-reload4j module.^[9]

References

^ "reload4j". reload4j.qos.ch. Retrieved 2022-01-14.
^ "Maven – Guide to Naming Conventions". maven.apache.org. Retrieved 2022-01-14.
^ "FTC warns companies to remediate Log4j security vulnerability". Federal Trade Commission. 2022-01-04. Retrieved 2022-01-14.
^ "Apache™ Logging Services™ Project Announces Log4j™ 1 End-Of-Life; Recommends Upgrade to Log4j 2". Apache Logging Services.
^ Ron, Grabowski (2022-01-06). "Log4j 1 End-of-Life Statement". lists.apache.org. Apache Logging Services.{{cite web}}: CS1 maint: url-status (link)
^ CVE.report; CVE. "CVE-2021-4104". CVE.report. Retrieved 2022-01-14.
^ CVE.report; CVE. "CVE-2019-17571". CVE.report. Retrieved 2022-01-14.
^ SLF4J.ORG (2022-01-13). "Release of version 1.7.33". SLF4J. SLF4J.ORG.{{cite web}}: CS1 maint: numeric names: authors list (link)
^ "Reload4jLoggerAdapter (SLF4J 2.0.0-alpha6 API)". www.slf4j.org. Retrieved 2022-01-14.

This computer-programming-related article is a stub. You can help Wikipedia by expanding it.

[1] "reload4j". reload4j.qos.ch. Retrieved 2022-01-14.

[2] "Maven – Guide to Naming Conventions". maven.apache.org. Retrieved 2022-01-14.

[3] "FTC warns companies to remediate Log4j security vulnerability". Federal Trade Commission. 2022-01-04. Retrieved 2022-01-14.

[4] "Apache™ Logging Services™ Project Announces Log4j™ 1 End-Of-Life; Recommends Upgrade to Log4j 2". Apache Logging Services.

[5] Ron, Grabowski (2022-01-06). "Log4j 1 End-of-Life Statement". lists.apache.org. Apache Logging Services.{{cite web}}: CS1 maint: url-status (link)

[6] CVE.report; CVE. "CVE-2021-4104". CVE.report. Retrieved 2022-01-14.

[7] CVE.report; CVE. "CVE-2019-17571". CVE.report. Retrieved 2022-01-14.

[8] SLF4J.ORG (2022-01-13). "Release of version 1.7.33". SLF4J. SLF4J.ORG.{{cite web}}: CS1 maint: numeric names: authors list (link)

[9] "Reload4jLoggerAdapter (SLF4J 2.0.0-alpha6 API)". www.slf4j.org. Retrieved 2022-01-14.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]