Software:Reload4j

From HandWiki
Short description: Computer software
reload4j
Original author(s)QOS.CH Sarl (Switzerland)
Repositorygithub.com/qos-ch/reload4j
Written inJava
TypeLogging
Websitereload4j.qos.ch

Reload4j[1] was created by the original author of log4j 1.x, Ceki Gülcü. Reload4j is a fork of log4j version 1.2.17. It preserves the same java package name space, in this case org.apache.log4j. However, for reasons of trademark protection, it is published under the "ch.qos.reload4j" groupId[2] in Apache Maven Central. It can be thus considered as a drop-in replacement for log4j.[3][4][5][6][7]

The aim of the reload4j project is to provide an very easy migration path[8] to those users wishing to correct log4j 1.x security issues.[9] For many companies this is a requirement by the FTC.[10] Upgrading to a newer version of log4j 1.x is not possible since the project has been declared EOL[11] by the Apache Software Foundation. This decision was reaffirmed in 2022[12] and could not be rescinded despite the best efforts of several volunteers.[13][14][15] Instead, the Log4j2 team incomprehensibly claims that deadlocks and other problems are impossible to fix. They further claim that the only safe way is to upgrade to log4j 2.x.[12] Log4j 2.x has a considerably different API and configuration style. While some users see the benefit, the pertinence of reload4j and the necessity of a fork is subject of debate.[16]

As of May 17th, 2022, according to mvnrepository.com,[17] 122 projects have already migrated to reload4j and 124 projects to slf4j-reload4j, among them prestigious projects such as ActiveMQ, Eclipse, Kafka,[18] MyBatis and WildFly, just to name a few.

Fixed vulnerabilities

Reload4j fixes all known Common Vulnerabilities and Exposures (CVE) log4j 1.x as listed below:

  • CVE-2021-4104[19]
  • CVE-2019-17571[20]
  • CVE-2022-23302 (SQL injection vulnerability in JDBCAppender)
  • CVE-2020-9493 aka CVE-2022-23307
  • CVE-2020-9488 As of version 1.2.18.3, all CVEs reported against log4j 1.x have been fixed. Given the much smaller surface area of reload4j compared to log4j 2.x, new CVEs are less likely to be discovered.

Given that log4j 1.x did not perform variable lookup within messages, log4j 1.x was not affected by Log4Shell (CVE-2021-44228), a zero-day remote code execution vulnerability affecting Log4J 2.x.

First release and features

Version 1.2.18.0 of reload4j was released on January the 12th, 2022 and is available for public consumption.[21]

Reload4j 1.2.18 does not add any new features with respect to log4j 1.2.17 although future versions are likely to provide backward compatible performance improvements.

As of 1.2.18.5, all reload4j releases are reproducible. In other words, building from source will yield bit-wise identical results as the published binaries.

Version 1.2.20 fixes a performance related issue on a critical execution path. Future releases of reload4j are likely to bring further performance improvements.

Version 1.2.21 fixes binary compatibility issue between earlier versions of reload4j and slf4j-log4j12. While it is recommended to use slf4j-reload4j as the preferred SLF4J adapter for reload4j, with version 1.2.21+ you can freely mix any version of slf4j-log4j12, if you need to do so.

slf4j-reload4j module

Subsequent to the first release of reload4j, the SLF4J project has released SLF4J version 1.7.33[22] with direct support for reload4j via the slf4j-reload4j module.[23]

As of version 1.7.35, SLF4J slf4j-log4j12 was replaced by slf4j-reload4j. By virtue of Maven relocation attribute, references to slf4j-log4j12 of will be automatically redirected to use slf4j-reload4j.

References

  1. "reload4j". https://reload4j.qos.ch/. 
  2. "Maven – Guide to Naming Conventions". https://maven.apache.org/guides/mini/guide-naming-conventions.html. 
  3. Elschner, Michaela. "log4j 1.x: reload4j for the rescue!" (in en). https://www.linkedin.com/pulse/log4j-1x-reload4j-rescue-michaela-elschner. 
  4. "Axon Ivy platform migrating to reload4j" (in en). https://twitter.com/axonivyplatform/status/1484479821669441540/photo/1. 
  5. Grigg, Kadi. "Wicked Good Development - Episode 1" (in en-us). https://blog.sonatype.com/wicked-good-development-episode-1. 
  6. Sohn, Matthias. "[cross-project-issues-dev reload4j 1.2.18 fixing pressing issues of log"]. https://www.eclipse.org/lists/cross-project-issues-dev/msg18876.html. 
  7. Onofré, Jean-Baptiste. "Apache ActiveMQ 5.16.4, reload4j and more". https://nanthrax.blogspot.com/2022/02/apache-activemq-5164-reload4j-and-more.html. 
  8. "Vulnerabilities in Log4j - Continued" (in en-US). https://fieldeffect.com/threats/vulnerabilities-in-log4j-continued/. 
  9. "SLF4J". https://www.slf4j.org/log4shell.html. 
  10. "FTC warns companies to remediate Log4j security vulnerability" (in en). 2022-01-04. https://www.ftc.gov/news-events/blogs/techftc/2022/01/ftc-warns-companies-remediate-log4j-security-vulnerability. 
  11. "Apache™ Logging Services™ Project Announces Log4j™ 1 End-Of-Life; Recommends Upgrade to Log4j 2". https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces. 
  12. 12.0 12.1 Ron, Grabowski (2022-01-06). "Log4j 1 End-of-Life Statement". Apache Logging Services. https://lists.apache.org/thread/dlz8nyrsvffmgq29d354s0l484lfc83w. 
  13. "Looking for a champion: resurrect log4j 1.x". https://lists.apache.org/thread/mx667xg7rps5b7rhgr7pojmj26o9qzq7. 
  14. "[DISCUSS[VOTE] Future of Log4j 1.x"]. https://lists.apache.org/thread/zww0brbqtvqjoz3q2hwmc8p2pj6ph4cn. 
  15. "standardizing the Maven build". https://lists.apache.org/thread/3cnz95k10htzp8by8kw0mybfvs7vfvb9. 
  16. hugith (2022-01-17). "Reload4j. A drop-in replacement for log4j 1.2.17 (with the security issues fixed)". http://www.reddit.com/r/java/comments/s6151e/reload4j_a_dropin_replacement_for_log4j_1217_with/. 
  17. "Maven Repository: reload4j". https://mvnrepository.com/search?q=reload4j. 
  18. "Apache Kafka (3.2.0 release notes)" (in en). https://kafka.apache.org/downloads.html. 
  19. CVE.report; CVE. "CVE-2021-4104" (in en). https://cve.report/CVE-2021-4104. 
  20. CVE.report; CVE. "CVE-2019-17571" (in en). https://cve.report/CVE-2019-17571. 
  21. "Central Repository: ch/qos/reload4j/reload4j". https://repo.maven.apache.org/maven2/ch/qos/reload4j/reload4j/. 
  22. SLF4J.ORG (2022-01-13). "Release of version 1.7.33". SLF4J.ORG. https://www.slf4j.org/news.html. 
  23. "Reload4jLoggerAdapter (SLF4J 2.0.0-alpha6 API)". https://www.slf4j.org/api/org/slf4j/reload4j/Reload4jLoggerAdapter.html. 




Retrieved from "https://handwiki.org/wiki/index.php?title=Software:Reload4j&oldid=956974"