Reload4j

Reload4j ^[1] was created by the original author of log4j 1.x, Ceki Gülcü. Reload4j is a fork of log4j version 1.2.17. It preserves the same java package name space, in this case "org.apache.log4j". However, for reasons of trademark protection, it is published under the "ch.qos.reload4j" groupId^[2] in Apache Maven Central. It can be thus considered as a drop-in replacement for log4j.

The aim of the reload4j project is to provide a migration path to those users wishing to correct log4j 1.x security issues. For many companies this is a requirement by the FTC.^[3] Upgrading to a newer version of log4j 1.x is not possible since the project has been declared EOL ^[4] by the Apache Software Foundation. This decision was reaffirmed in 2022^[5] and could not be rescinded despite the best efforts of several volunteers^[6]^[7]. Moreover, log4j 2.x has a considerably different API and configuration style.

Corrected common vulnerabilities and exposures (CVE)

Reload4j fixes the following vulnerabilities:

CVE-2021-4104^[8]
CVE-2019-17571^[9]

It should be noted that contrary to log4j 2.x, log4j 1.x and reload4j do not suffer from the notorious log4shell vulnerability.

First release

Version 1.2.8.0 of reload4j was released on January the 12th, 2022 and is available for public consumption.

slf4j-reload4j module

Subsequent to the first release of reload4j, the SLF4J project has released SLF4J version 1.7.33^[10] with direct support for reload4j via the slf4j-reload4j module.^[11]

References

^ "reload4j". reload4j.qos.ch. Retrieved 2022-01-14.
^ "Maven – Guide to Naming Conventions". maven.apache.org. Retrieved 2022-01-14.
^ "FTC warns companies to remediate Log4j security vulnerability". Federal Trade Commission. 2022-01-04. Retrieved 2022-01-14.
^ "Apache™ Logging Services™ Project Announces Log4j™ 1 End-Of-Life; Recommends Upgrade to Log4j 2". Apache Logging Services.
^ Ron, Grabowski (2022-01-06). "Log4j 1 End-of-Life Statement". lists.apache.org. Apache Logging Services.{{cite web}}: CS1 maint: url-status (link)
^ "[DISCUSS][VOTE] Future of Log4j 1.x". lists.apache.org. Retrieved 2022-01-14.{{cite web}}: CS1 maint: url-status (link)
^ "standardizing the Maven build". lists.apache.org. Retrieved 2022-01-14.{{cite web}}: CS1 maint: url-status (link)
^ CVE.report; CVE. "CVE-2021-4104". CVE.report. Retrieved 2022-01-14.
^ CVE.report; CVE. "CVE-2019-17571". CVE.report. Retrieved 2022-01-14.
^ SLF4J.ORG (2022-01-13). "Release of version 1.7.33". SLF4J. SLF4J.ORG.{{cite web}}: CS1 maint: numeric names: authors list (link)
^ "Reload4jLoggerAdapter (SLF4J 2.0.0-alpha6 API)". www.slf4j.org. Retrieved 2022-01-14.

This computer-programming-related article is a stub. You can help Wikipedia by expanding it.

[1] "reload4j". reload4j.qos.ch. Retrieved 2022-01-14.

[2] "Maven – Guide to Naming Conventions". maven.apache.org. Retrieved 2022-01-14.

[3] "FTC warns companies to remediate Log4j security vulnerability". Federal Trade Commission. 2022-01-04. Retrieved 2022-01-14.

[4] "Apache™ Logging Services™ Project Announces Log4j™ 1 End-Of-Life; Recommends Upgrade to Log4j 2". Apache Logging Services.

[5] Ron, Grabowski (2022-01-06). "Log4j 1 End-of-Life Statement". lists.apache.org. Apache Logging Services.{{cite web}}: CS1 maint: url-status (link)

[6] "[DISCUSS][VOTE] Future of Log4j 1.x". lists.apache.org. Retrieved 2022-01-14.{{cite web}}: CS1 maint: url-status (link)

[7] "standardizing the Maven build". lists.apache.org. Retrieved 2022-01-14.{{cite web}}: CS1 maint: url-status (link)

[8] CVE.report; CVE. "CVE-2021-4104". CVE.report. Retrieved 2022-01-14.

[9] CVE.report; CVE. "CVE-2019-17571". CVE.report. Retrieved 2022-01-14.

[10] SLF4J.ORG (2022-01-13). "Release of version 1.7.33". SLF4J. SLF4J.ORG.{{cite web}}: CS1 maint: numeric names: authors list (link)

[11] "Reload4jLoggerAdapter (SLF4J 2.0.0-alpha6 API)". www.slf4j.org. Retrieved 2022-01-14.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]