Skip to content

AVRO-3304: Drop-in reload4j to mitigate log4j 1.x#1464

Merged
martin-g merged 1 commit intoapache:masterfrom
RyanSkraba:rskraba/AVRO-3304-reload4j
Jan 19, 2022
Merged

AVRO-3304: Drop-in reload4j to mitigate log4j 1.x#1464
martin-g merged 1 commit intoapache:masterfrom
RyanSkraba:rskraba/AVRO-3304-reload4j

Conversation

@RyanSkraba
Copy link
Contributor

@RyanSkraba RyanSkraba commented Jan 18, 2022

This is an alternative to #1458

That PR replaces the logging behind slf4j from log4j 1.x to slf4j-simple, while this PR drops in the reload4j replacement.

Both these solutions are "mitigation" solutions for current CVEs, while downstream projects still bring in log4j 1.x dependencies.

I've verified that the classes in the generated avro-tools uberjar are the reload4j replacements.

Jira

Tests

  • My PR does not need testing for this extremely good reason: the equivalent of a version bump.

Commits

  • My commits all reference Jira issues in their subject lines. In addition, my commits follow the guidelines from "How to write a good git commit message":
    1. Subject is separated from body by a blank line
    2. Subject is limited to 50 characters (not including Jira issue reference)
    3. Subject does not end with a period
    4. Subject uses the imperative mood ("add", not "adding")
    5. Body wraps at 72 characters
    6. Body explains "what" and "why", not "how"

Documentation

  • In case of new functionality, my PR adds documentation that describes how to use it.
    • All the public functions and the classes in the PR contain Javadoc that explain what it does

@RyanSkraba RyanSkraba requested a review from martin-g January 18, 2022 18:26
@github-actions github-actions bot added build Java Pull Requests for Java binding labels Jan 18, 2022
@martin-g
Copy link
Member

martin-g commented Jan 19, 2022

A new version of Reload4j is coming: https://twitter.com/ceki/status/1483710574051696641

@martin-g martin-g merged commit bd4e91a into apache:master Jan 19, 2022
@martin-g
Copy link
Member

martin-g commented Jan 19, 2022

Merged!
We can easily update the version of Reload4j once it is released!

martin-g pushed a commit that referenced this pull request Jan 19, 2022
@RyanSkraba @martin-g
AVRO-3304: Drop-in reload4j to mitigate log4j 1.x (#1464)
742a767 
(cherry picked from commit bd4e91a)
@martin-g martin-g mentioned this pull request Jan 19, 2022
Closed
4 tasks
@RyanSkraba RyanSkraba deleted the rskraba/AVRO-3304-reload4j branch January 19, 2022 14:07
@pjfanning
Copy link
Member

pjfanning commented Jan 21, 2022

Can I ask what happens if Avro and its reload4j dependency is used with Hadoop an/or Spark that still have log4j(v1) dependencies? Presumably, you will just end up with 2 separate jar files and the classloader will randomly choose the classes from reload4j or log4g(v1) jars. It's possible that I've misinterpreted how the reload4j change will work in practice.

@martin-g
Copy link
Member

martin-g commented Jan 21, 2022

Hi @pjfanning !
We have updated avro**-tools** to exclude the transitive dependency to log4j 1.x and added a dependency to reload4j. So log4j could be in the classpath only if you add it by other means in your application build configuration, or if it comes as a transitive dependency of another dependency.
But yes, if you have both in the classpath then a random one will be chosen.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@martin-g martin-g martin-g approved these changes

Assignees

No one assigned

Labels

build Java Pull Requests for Java binding

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@RyanSkraba @martin-g @pjfanning