Jump to content

Reload4j

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Alain madak (talk | contribs) at 09:56, 16 February 2022 (added link to Jean-Baptiste Onofré's blog article). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Reload4j[1] was created by the original author of log4j 1.x, Ceki Gülcü. Reload4j is a fork of log4j version 1.2.17. It preserves the same java package name space, in this case org.apache.log4j. However, for reasons of trademark protection, it is published under the "ch.qos.reload4j" groupId[2] in Apache Maven Central. It can be thus considered as a drop-in replacement for log4j[3][4].

The aim of the reload4j project is to provide a migration path[5] to those users wishing to correct log4j 1.x security issues.[6] For many companies this is a requirement by the FTC.[7] Upgrading to a newer version of log4j 1.x is not possible since the project has been declared EOL[8] by the Apache Software Foundation. This decision was reaffirmed in 2022[9] and could not be rescinded despite the best efforts of several volunteers.[10][11][12] Moreover, log4j 2.x has a considerably different API and configuration style. While some users see the benefit, the pertinence of reload4j and the necessity of a fork is subject of debate.[13] Nevertheless, more and more projects are migrating[14][15] from log4j 1.x to reload4j.

Fixed vulnerabilities

Reload4j fixes Log4Shell (CVE-2021-44228), a zero-day remote code execution vulnerability in Log4J. Additionally, it fixes XML entity injection attacks, and several more vulnerabilities listed at Common Vulnerabilities and Exposures (CVE):

  • CVE-2021-4104[16]
  • CVE-2019-17571[17]
  • CVE-2022-23302 (SQL injection vulnerability in JDBCAppender)
  • CVE-2020-9493 aka CVE-2022-23307
  • CVE-2020-9488

First release and features

Version 1.2.18.0 of reload4j was released on January the 12th, 2022 and is available for public consumption.[18]

Reload4j 1.2.18 does not add any new features with respect to log4j 1.2.17 although future versions are likely to provide backward compatible performance improvements.

slf4j-reload4j module

Subsequent to the first release of reload4j, the SLF4J project has released SLF4J version 1.7.33[19] with direct support for reload4j via the slf4j-reload4j module.[20]

As of version 1.7.35, SLF4J slf4j-log4j12 was replaced by slf4j-reload4j. By virtue of Maven relocation attribute, references to slf4j-log4j12 of will be automatically redirected to use slf4j-reload4j.

References

  1. ^ "reload4j". reload4j.qos.ch. Retrieved 2022-01-14.
  2. ^ "Maven – Guide to Naming Conventions". maven.apache.org. Retrieved 2022-01-14.
  3. ^ Onofré, Jean-Baptiste. "Apache ActiveMQ 5.16.4, reload4j and more". Apache ActiveMQ 5.16.4, reload4j and more. Retrieved 2022-02-16.
  4. ^ Elschner, Michaela. "log4j 1.x: reload4j for the rescue!". www.linkedin.com. Retrieved 2022-02-14.
  5. ^ "Vulnerabilities in Log4j - Continued". Field Effect Software Inc. Retrieved 2022-01-29.
  6. ^ "SLF4J". www.slf4j.org. Retrieved 2022-01-16.
  7. ^ "FTC warns companies to remediate Log4j security vulnerability". Federal Trade Commission. 2022-01-04. Retrieved 2022-01-14.
  8. ^ "Apache™ Logging Services™ Project Announces Log4j™ 1 End-Of-Life; Recommends Upgrade to Log4j 2". Apache Logging Services.
  9. ^ Ron, Grabowski (2022-01-06). "Log4j 1 End-of-Life Statement". lists.apache.org. Apache Logging Services.{{cite web}}: CS1 maint: url-status (link)
  10. ^ "Looking for a champion: resurrect log4j 1.x".{{cite web}}: CS1 maint: url-status (link)
  11. ^ "[DISCUSS][VOTE] Future of Log4j 1.x". lists.apache.org. Retrieved 2022-01-14.{{cite web}}: CS1 maint: url-status (link)
  12. ^ "standardizing the Maven build". lists.apache.org. Retrieved 2022-01-14.{{cite web}}: CS1 maint: url-status (link)
  13. ^ hugith (2022-01-17). "Reload4j. A drop-in replacement for log4j 1.2.17 (with the security issues fixed)". r/java. Retrieved 2022-01-17.
  14. ^ MyBatis, project. "MyBatis Bump reload4j from 1.2.18.3 to 1.2.18.4".
  15. ^ "Changes in Axon.ivy 8.0.24".
  16. ^ CVE.report; CVE. "CVE-2021-4104". CVE.report. Retrieved 2022-01-14.
  17. ^ CVE.report; CVE. "CVE-2019-17571". CVE.report. Retrieved 2022-01-14.
  18. ^ "Central Repository: ch/qos/reload4j/reload4j". repo.maven.apache.org. Retrieved 2022-01-14.
  19. ^ SLF4J.ORG (2022-01-13). "Release of version 1.7.33". SLF4J. SLF4J.ORG.{{cite web}}: CS1 maint: numeric names: authors list (link)
  20. ^ "Reload4jLoggerAdapter (SLF4J 2.0.0-alpha6 API)". www.slf4j.org. Retrieved 2022-01-14.
Stub icon

This computer-programming-related article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Reload4j&oldid=1072179902"