Reload4j

Reload4j^[1] was created by the original author of log4j 1.x, Ceki Gülcü. Reload4j is a fork of log4j version 1.2.17. It preserves the same java package name space, in this case org.apache.log4j. However, for reasons of trademark protection, it is published under the "ch.qos.reload4j" groupId^[2] in Apache Maven Central. It can be thus considered as a drop-in replacement for log4j^[3].

The aim of the reload4j project is to provide a migration path^[4] to those users wishing to correct log4j 1.x security issues.^[5] For many companies this is a requirement by the FTC.^[6] Upgrading to a newer version of log4j 1.x is not possible since the project has been declared EOL^[7] by the Apache Software Foundation. This decision was reaffirmed in 2022^[8] and could not be rescinded despite the best efforts of several volunteers.^[9]^[10]^[11] Moreover, log4j 2.x has a considerably different API and configuration style. While some users see the benefit, the pertinence of reload4j and the necessity of a fork is subject of debate.^[12] Nevertheless, more and more projects are migrating^[13]^[14] from log4j 1.x to reload4j.

Fixed vulnerabilities

Reload4j fixes Log4Shell (CVE-2021-44228), a zero-day remote code execution vulnerability in Log4J. Additionally, it fixes XML entity injection attacks, and several more vulnerabilities listed at Common Vulnerabilities and Exposures (CVE):

CVE-2021-4104^[15]
CVE-2019-17571^[16]
CVE-2022-23302 (SQL injection vulnerability in JDBCAppender)
CVE-2020-9493 aka CVE-2022-23307
CVE-2020-9488

First release and features

Version 1.2.18.0 of reload4j was released on January the 12th, 2022 and is available for public consumption.^[17]

Reload4j 1.2.18 does not add any new features with respect to log4j 1.2.17 although future versions are likely to provide backward compatible performance improvements.

slf4j-reload4j module

Subsequent to the first release of reload4j, the SLF4J project has released SLF4J version 1.7.33^[18] with direct support for reload4j via the slf4j-reload4j module.^[19]

As of version 1.7.35, SLF4J slf4j-log4j12 was replaced by slf4j-reload4j. By virtue of Maven relocation attribute, references to slf4j-log4j12 of will be automatically redirected to use slf4j-reload4j.

References

^ "reload4j". reload4j.qos.ch. Retrieved 2022-01-14.
^ "Maven – Guide to Naming Conventions". maven.apache.org. Retrieved 2022-01-14.
^ "log4j 1.x: reload4j for the rescue!". www.linkedin.com. Retrieved 2022-02-14.
^ "Vulnerabilities in Log4j - Continued". Field Effect Software Inc. Retrieved 2022-01-29.
^ "SLF4J". www.slf4j.org. Retrieved 2022-01-16.
^ "FTC warns companies to remediate Log4j security vulnerability". Federal Trade Commission. 2022-01-04. Retrieved 2022-01-14.
^ "Apache™ Logging Services™ Project Announces Log4j™ 1 End-Of-Life; Recommends Upgrade to Log4j 2". Apache Logging Services.
^ Ron, Grabowski (2022-01-06). "Log4j 1 End-of-Life Statement". lists.apache.org. Apache Logging Services.{{cite web}}: CS1 maint: url-status (link)
^ "Looking for a champion: resurrect log4j 1.x".{{cite web}}: CS1 maint: url-status (link)
^ "[DISCUSS][VOTE] Future of Log4j 1.x". lists.apache.org. Retrieved 2022-01-14.{{cite web}}: CS1 maint: url-status (link)
^ "standardizing the Maven build". lists.apache.org. Retrieved 2022-01-14.{{cite web}}: CS1 maint: url-status (link)
^ hugith (2022-01-17). "Reload4j. A drop-in replacement for log4j 1.2.17 (with the security issues fixed)". r/java. Retrieved 2022-01-17.
^ MyBatis, project. "MyBatis Bump reload4j from 1.2.18.3 to 1.2.18.4".
^ "Changes in Axon.ivy 8.0.24".
^ CVE.report; CVE. "CVE-2021-4104". CVE.report. Retrieved 2022-01-14.
^ CVE.report; CVE. "CVE-2019-17571". CVE.report. Retrieved 2022-01-14.
^ "Central Repository: ch/qos/reload4j/reload4j". repo.maven.apache.org. Retrieved 2022-01-14.
^ SLF4J.ORG (2022-01-13). "Release of version 1.7.33". SLF4J. SLF4J.ORG.{{cite web}}: CS1 maint: numeric names: authors list (link)
^ "Reload4jLoggerAdapter (SLF4J 2.0.0-alpha6 API)". www.slf4j.org. Retrieved 2022-01-14.

This computer-programming-related article is a stub. You can help Wikipedia by expanding it.

[1] "reload4j". reload4j.qos.ch. Retrieved 2022-01-14.

[2] "Maven – Guide to Naming Conventions". maven.apache.org. Retrieved 2022-01-14.

[3] "log4j 1.x: reload4j for the rescue!". www.linkedin.com. Retrieved 2022-02-14.

[4] "Vulnerabilities in Log4j - Continued". Field Effect Software Inc. Retrieved 2022-01-29.

[5] "SLF4J". www.slf4j.org. Retrieved 2022-01-16.

[6] "FTC warns companies to remediate Log4j security vulnerability". Federal Trade Commission. 2022-01-04. Retrieved 2022-01-14.

[7] "Apache™ Logging Services™ Project Announces Log4j™ 1 End-Of-Life; Recommends Upgrade to Log4j 2". Apache Logging Services.

[8] Ron, Grabowski (2022-01-06). "Log4j 1 End-of-Life Statement". lists.apache.org. Apache Logging Services.{{cite web}}: CS1 maint: url-status (link)

[9] "Looking for a champion: resurrect log4j 1.x".{{cite web}}: CS1 maint: url-status (link)

[10] "[DISCUSS][VOTE] Future of Log4j 1.x". lists.apache.org. Retrieved 2022-01-14.{{cite web}}: CS1 maint: url-status (link)

[11] "standardizing the Maven build". lists.apache.org. Retrieved 2022-01-14.{{cite web}}: CS1 maint: url-status (link)

[12] ugith (2022-01-17). "Reload4j. A drop-in replacement for log4j 1.2.17 (with the security issues fixed)". r/java. Retrieved 2022-01-17.

[13] MyBatis, project. "MyBatis Bump reload4j from 1.2.18.3 to 1.2.18.4".

[14] "Changes in Axon.ivy 8.0.24".

[15] CVE.report; CVE. "CVE-2021-4104". CVE.report. Retrieved 2022-01-14.

[16] CVE.report; CVE. "CVE-2019-17571". CVE.report. Retrieved 2022-01-14.

[17] "Central Repository: ch/qos/reload4j/reload4j". repo.maven.apache.org. Retrieved 2022-01-14.

[18] SLF4J.ORG (2022-01-13). "Release of version 1.7.33". SLF4J. SLF4J.ORG.{{cite web}}: CS1 maint: numeric names: authors list (link)

[19] "Reload4jLoggerAdapter (SLF4J 2.0.0-alpha6 API)". www.slf4j.org. Retrieved 2022-01-14.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]