Native Server: Logging not configurable

[ryanemerson]

The quarkus native binary does not consume a lo4j2.xml file, instead logging must be configured via properties.

The config-generator should be updated so that it can automatically generate a file containing the required quarkus properties for the logging config specified in the server.yaml. This can then be combined with a .env file containing the other runtme properties, such as -Dquarkus.infinispan-server.config-file to launch the native binary.

[calohmn]

@ryanemerson Looking at the fact that log4j2.xml is not used and that configuration has to be done via quarkus properties:
Is it that logging isn't done via the log4j-core module logger implementation here and hence the native server image isn't affected by CVE-2021-44228?

[tristantarrant]

@calohmn the CVE can only work with a JVM because it requires the ability to execute bytecode. A native image cannot do that.

[calohmn]

@tristantarrant Yes, that part is clear, so the full exploits won't work.
However, I was thinking about whether the log4j lookup feature, doing variable expansion in a log message (e.g. ${hostname}) and doing the LDAP server requests alone would work. This in itself could be a problem, albeit a lesser one, for sure.