Use reload4j instead of log4j
#114
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Version 1.x of the Apache `log4j` library has been unsupported for several years and has a number of known vulnerabilities. While MaDDash remains unaffected by these vulnerabilities, it will oftentimes still be flagged by tools like Nessus, creating difficulties for system administrators. This commit replaces all `log4j` dependencies in the project with `reload4j`, a binary-compatible replacement for `log4j` that is still supported and is free from vulnerabilities that `log4j` is known to have. The `reload4j` project is essentially a continuation of the `log4j` project and offers the exact same functionality. This commit is intended to provide a simple means of transitioning away from `log4j` version 1.x and its associated problems. More details on `reload4j`: https://reload4j.qos.ch/
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Apache
log4jversion 1.x is unsupported and has several known vulnerabilities. While these vulnerabilities are not exploitable within the context of MaDDash, vulnerability scanning tools, like Nessus, will still issues warnings about its use, creating an additional workload for system administration and security staff.The commit included in this pull request aims to fix this issue by replacing
log4jwithreload4j. Thereload4jlibrary is a drop-in replacement forlog4jversion 1.x that is still supported and does not suffer from the vulnerabilities thatlog4jis known to have. Thereload4jproject has several well-known users and sponsors and is effectively a continuation of thelog4jproject. Please read more about thereload4jproject here: https://reload4j.qos.ch/This change has been tested in a small test setup consisting of several perfSONAR nodes and an archive/MaDDash server. All MaDDash logging functionality appears to be working correctly, and all other functionality appears to be working correctly as well.
Comments, questions, or concerns are welcome! Additionally, please let me know if this pull request should be opened against a different branch.
This fixes #103.