Jump to content

Reload4j

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Cy23 (talk | contribs) at 19:10, 19 February 2022 (corrected a few facts and also removed the link to "more and more projects are migrating", because there are only 35 https://github.com/qos-ch/reload4j/network/dependents?package_id=UGFja2FnZS0yOTczMzYwMTEx projects listed as users so far.). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Reload4j[1] was created by the original author of log4j 1.x, Ceki Gülcü. Reload4j is a fork of log4j version 1.2.17. It preserves the same java package name space, in this case org.apache.log4j. However, for reasons of trademark protection, it is published under the "ch.qos.reload4j" groupId[2] in Apache Maven Central. It can be thus considered as a drop-in replacement for log4j[3][4][5][6][7].

The aim of the reload4j project is to provide a migration path[8] to those users wishing to correct log4j 1.x security issues.[9] For many companies this is a requirement by the FTC.[10] Upgrading to a newer version of log4j 1.x is not possible since the project has been declared EOL[11] by the Apache Software Foundation. This decision was reaffirmed in 2022[12] and could not be rescinded despite the best efforts of several volunteers.[13][14][15] Instead, the Log4j team explained that some issues which can cause deadlocks and other problems are impossible to fix; the only safe way is to upgrade to a newer codebase and use one of the easy to use migration paths[12]. Log4j 2.x has a considerably different API and configuration style. However, support for using log4j 1 configuration files is available. While some users see the benefit, the pertinence of reload4j and the necessity of a fork is subject of debate.[16]

Fixed vulnerabilities

Reload4j was not affected to Log4Shell (CVE-2021-44228), a zero-day remote code execution vulnerability in Log4J. Additionally, it fixes XML entity injection attacks, and several more vulnerabilities listed at Common Vulnerabilities and Exposures (CVE):

  • CVE-2021-4104[17]
  • CVE-2019-17571[18]
  • CVE-2022-23302 (SQL injection vulnerability in JDBCAppender)
  • CVE-2020-9493 aka CVE-2022-23307
  • CVE-2020-9488 As of version 1.2.18.3, all CVEs reported against log4j 1.x have been fixed. Given the much smaller surface area of reload4j compared to log4j 2.x, new CVEs are less likely to be discovered.

As of today, it does not address ClassLoader problems, Deadlocks and other concurrency issues found in Log4j 1.

First release and features

Version 1.2.18.0 of reload4j was released on January the 12th, 2022 and is available for public consumption.[19]

Reload4j 1.2.18 does not add any new features with respect to log4j 1.2.17 although future versions are likely to provide backward compatible performance improvements.

As of 12.18.5, all reload4j releases are reproducible. In other words, building from source will yield bitwise identical results as the published binaries.

slf4j-reload4j module

Subsequent to the first release of reload4j, the SLF4J project has released SLF4J version 1.7.33[20] with direct support for reload4j via the slf4j-reload4j module.[21]

As of version 1.7.35, SLF4J slf4j-log4j12 was replaced by slf4j-reload4j. By virtue of Maven relocation attribute, references to slf4j-log4j12 of will be automatically redirected to use slf4j-reload4j.

References

  1. ^ "reload4j". reload4j.qos.ch. Retrieved 2022-01-14.
  2. ^ "Maven – Guide to Naming Conventions". maven.apache.org. Retrieved 2022-01-14.
  3. ^ Elschner, Michaela. "log4j 1.x: reload4j for the rescue!". www.linkedin.com. Retrieved 2022-02-14.
  4. ^ "Axon Ivy platform migrating to reload4j". Twitter. Retrieved 2022-02-17.
  5. ^ Grigg, Kadi. "Wicked Good Development - Episode 1". blog.sonatype.com. Retrieved 2022-02-16.
  6. ^ Sohn, Matthias. "[cross-project-issues-dev] reload4j 1.2.18 fixing pressing issues of log". www.eclipse.org. Retrieved 2022-02-16.
  7. ^ Onofré, Jean-Baptiste. "Apache ActiveMQ 5.16.4, reload4j and more". Apache ActiveMQ 5.16.4, reload4j and more. Retrieved 2022-02-16.
  8. ^ "Vulnerabilities in Log4j - Continued". Field Effect Software Inc. Retrieved 2022-01-29.
  9. ^ "SLF4J". www.slf4j.org. Retrieved 2022-01-16.
  10. ^ "FTC warns companies to remediate Log4j security vulnerability". Federal Trade Commission. 2022-01-04. Retrieved 2022-01-14.
  11. ^ "Apache™ Logging Services™ Project Announces Log4j™ 1 End-Of-Life; Recommends Upgrade to Log4j 2". Apache Logging Services.
  12. ^ a b Ron, Grabowski (2022-01-06). "Log4j 1 End-of-Life Statement". lists.apache.org. Apache Logging Services.{{cite web}}: CS1 maint: url-status (link)
  13. ^ "Looking for a champion: resurrect log4j 1.x".{{cite web}}: CS1 maint: url-status (link)
  14. ^ "[DISCUSS][VOTE] Future of Log4j 1.x". lists.apache.org. Retrieved 2022-01-14.{{cite web}}: CS1 maint: url-status (link)
  15. ^ "standardizing the Maven build". lists.apache.org. Retrieved 2022-01-14.{{cite web}}: CS1 maint: url-status (link)
  16. ^ hugith (2022-01-17). "Reload4j. A drop-in replacement for log4j 1.2.17 (with the security issues fixed)". r/java. Retrieved 2022-01-17.
  17. ^ CVE.report; CVE. "CVE-2021-4104". CVE.report. Retrieved 2022-01-14.
  18. ^ CVE.report; CVE. "CVE-2019-17571". CVE.report. Retrieved 2022-01-14.
  19. ^ "Central Repository: ch/qos/reload4j/reload4j". repo.maven.apache.org. Retrieved 2022-01-14.
  20. ^ SLF4J.ORG (2022-01-13). "Release of version 1.7.33". SLF4J. SLF4J.ORG.{{cite web}}: CS1 maint: numeric names: authors list (link)
  21. ^ "Reload4jLoggerAdapter (SLF4J 2.0.0-alpha6 API)". www.slf4j.org. Retrieved 2022-01-14.
Stub icon

This computer-programming-related article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Reload4j&oldid=1072844736"