Pull upstream to upgrade log4j to 2.15.0 to address security vulnerab…

…ilities Summary: Druid is running with JVM 1.8.0_232 but log4j 2.5 so it's P1 rather than p0. Pull upstream to upgrade log4j to 2.15.0 to address security vulnerabilities Changes are from the following upstream PRs: # Upgrade log4j from 2.8.2 to 2.15.0 apache#12051 apache#12056 # Upgrade log4j from 2.5 to 2.8.2 apache#8878 Reviewers: O1139 Druid, jgu, itallam Reviewed By: O1139 Druid, jgu, itallam Subscribers: jenkins, shawncao, #realtime-analytics Differential Revision: https://phabricator.pinadmin.com/D823708
debasatwa29 · Dec 13, 2021 · 5bea06b · 5bea06b
1 parent 6d2ef8e
commit 5bea06b
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 2 deletions.
diff --git a/pom.xml b/pom.xml
@@ -89,7 +89,7 @@
         <jersey.version>1.19.3</jersey.version>
         <!-- jackson 2.7.x causes injection error and 2.8.x can't be used because avatica is using 2.6.3 -->
         <jackson.version>2.6.7</jackson.version>
-        <log4j.version>2.5</log4j.version>
+        <log4j.version>2.15.0</log4j.version>
         <!-- HttpClient has not yet been ported to Netty 4.x -->
         <netty3.version>3.10.6.Final</netty3.version>
         <!-- Spark updated in https://github.com/apache/spark/pull/19884 -->

diff --git a/server/src/test/java/org/apache/druid/server/log/LoggingRequestLoggerTest.java b/server/src/test/java/org/apache/druid/server/log/LoggingRequestLoggerTest.java
@@ -42,7 +42,9 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.core.Appender;
 import org.apache.logging.log4j.core.Logger;
+import org.apache.logging.log4j.core.LoggerContext;
 import org.apache.logging.log4j.core.appender.OutputStreamAppender;
+import org.apache.logging.log4j.core.config.Configuration;
 import org.apache.logging.log4j.core.layout.JsonLayout;
 import org.joda.time.DateTime;
 import org.joda.time.Interval;
@@ -154,11 +156,25 @@ public <T> QueryRunner<T> lookup(Query<T> query, QuerySegmentWalker walker)
   @BeforeClass
   public static void setUpStatic()
   {
+    LoggerContext loggerContext = (LoggerContext) LogManager.getContext(false);
+    Configuration configuration = loggerContext.getConfiguration();
     appender = OutputStreamAppender
         .newBuilder()
         .setName("test stream")
         .setTarget(BAOS)
-        .setLayout(JsonLayout.createLayout(false, true, false, true, true, StandardCharsets.UTF_8))
+        .setLayout(JsonLayout.createLayout(
+            configuration,
+            false,
+            true,
+            true,
+            false,
+            true,
+            true,
+            "[",
+            "]",
+            StandardCharsets.UTF_8,
+            true
+        ))
         .build();
     final Logger logger = (Logger)
         LogManager.getLogger(LoggingRequestLogger.class);

diff --git a/services/src/main/java/org/apache/druid/cli/Log4JShutdownPropertyChecker.java b/services/src/main/java/org/apache/druid/cli/Log4JShutdownPropertyChecker.java
@@ -32,5 +32,8 @@ public void checkProperties(Properties properties)
     if (!properties.containsKey("log4j.shutdownHookEnabled")) {
       properties.setProperty("log4j.shutdownHookEnabled", "true");
     }
+    if (!properties.containsKey("log4j2.is.webapp")) {
+      properties.setProperty("log4j2.is.webapp", "false");
+    }
   }
 }
diff --git a/services/src/test/java/org/apache/druid/cli/Log4JShutdownPropertyCheckerTest.java b/services/src/test/java/org/apache/druid/cli/Log4JShutdownPropertyCheckerTest.java
@@ -0,0 +1,43 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.druid.cli;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import java.util.Properties;
+
+public class Log4JShutdownPropertyCheckerTest
+{
+  @Test
+  public void test_sets_the_stuff()
+  {
+    Log4JShutdownPropertyChecker checker = new Log4JShutdownPropertyChecker();
+    Properties properties = new Properties();
+    checker.checkProperties(properties);
+
+    Assert.assertEquals(
+        "org.apache.druid.common.config.Log4jShutdown",
+        properties.get("log4j.shutdownCallbackRegistry")
+    );
+    Assert.assertEquals("true", properties.get("log4j.shutdownHookEnabled"));
+    Assert.assertEquals("false", properties.get("log4j2.is.webapp"));
+  }
+}