See https://github.com/vorburger/Log4j_CVE-2021-44228
$ ./gradlew run
Jan 14, 2022 6:30:52 PM ch.vorburger.log4j.App main
INFO: hello, world
As we can see, this logged "hello, world" using JUL to the console (unless otherwise configured).
It uses the (new) log4j-to-jul
module, which I (vorburger@) contributed in https://issues.apache.org/jira/browse/LOG4J2-3282.
The interesting part here is noticing that in this project we have dependencies
to both log4j-to-jul AND log4j-core (which can happen, for various reasons) -
but log4j-to-jul takes precedence over log4j-core, which is ignored.
This is because LogManager respects the priority of each Provider,
and JUL's is 15 (or 20, after this PR) whereas Core's is 10.
We can make LogManager print details about this e.g. by putting a
log4j2.StatusLogger.properties on the classpath,
which after this bug is fixed will show:
WARN StatusLogger Multiple logging implementations found:
Factory: org.apache.logging.log4j.core.impl.Log4jContextFactory, Weighting: 10
Factory: org.apache.logging.log4j.tojul.JULLoggerContextFactory, Weighting: 15
Using factory: org.apache.logging.log4j.tojul.JULLoggerContextFactory
