Reload4j

This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages) The topic of this article may not meet Wikipedia's notability guidelines for products and services. Please help to demonstrate the notability of the topic by citing reliable secondary sources that are independent of the topic and provide significant coverage of it beyond a mere trivial mention. If notability cannot be shown, the article is likely to be merged, redirected, or deleted. Find sources: "Reload4j" – news · newspapers · books · scholar · JSTOR (January 2022) (Learn how and when to remove this message) This article relies excessively on references to primary sources. Please improve this article by adding secondary or tertiary sources. Find sources: "Reload4j" – news · newspapers · books · scholar · JSTOR (January 2022) (Learn how and when to remove this message) This article provides insufficient context for those unfamiliar with the subject. Please help improve the article by providing more context for the reader. (January 2022) (Learn how and when to remove this message) (Learn how and when to remove this message)

It has been suggested that this article be merged into Log4j. (Discuss) Proposed since January 2022.

Reload4j^[1] was created by the original author of log4j 1.x, Ceki Gülcü. Reload4j is a fork of log4j version 1.2.17. It preserves the same java package name space, in this case org.apache.log4j. However, for reasons of trademark protection, it is published under the "ch.qos.reload4j" groupId^[2] in Apache Maven Central. It can be thus considered as a drop-in replacement for log4j^[3].

The aim of the reload4j project is to provide a migration path^[4] to those users wishing to correct log4j 1.x security issues.^[5] For many companies this is a requirement by the FTC.^[6] Upgrading to a newer version of log4j 1.x is not possible since the project has been declared EOL^[7] by the Apache Software Foundation. This decision was reaffirmed in 2022^[8] and could not be rescinded despite the best efforts of several volunteers.^[9][10][11] Moreover, log4j 2.x has a considerably different API and configuration style. While some users see the benefit, the pertinence of reload4j and the necessity of a fork is subject of debate.^[12] Nevertheless, more and more projects are migrating^[13][14] from log4j 1.x to reload4j.

Reload4j fixes Log4Shell (CVE-2021-44228), a zero-day remote code execution vulnerability in Log4J. Additionally, it fixes XML entity injection attacks, and several more vulnerabilities listed at Common Vulnerabilities and Exposures (CVE):

• CVE-2021-4104^[15]
• CVE-2019-17571^[16]
• CVE-2022-23302 (SQL injection vulnerability in JDBCAppender)
• CVE-2020-9493 aka CVE-2022-23307
• CVE-2020-9488

Version 1.2.18.0 of reload4j was released on January the 12th, 2022 and is available for public consumption.^[17]

Reload4j 1.2.18 does not add any new features with respect to log4j 1.2.17 although future versions are likely to provide backward compatible performance improvements.

Subsequent to the first release of reload4j, the SLF4J project has released SLF4J version 1.7.33^[18] with direct support for reload4j via the slf4j-reload4j module.^[19]

As of version 1.7.35, SLF4J slf4j-log4j12 was replaced by slf4j-reload4j. By virtue of Maven relocation attribute, references to slf4j-log4j12 of will be automatically redirected to use slf4j-reload4j.

This computer-programming-related article is a stub. You can help Wikipedia by expanding it.

• v
• t
• e