Comments (4)
As far as I m concerned, this may be fixed in installatable version but Docker versions still contain log4j-core-2.11.1.jar
from fluent-logger-java.
fluent-logger-java doesn't depend on Log4j2:
$ mvn dependency:tree
[INFO] Scanning for projects...
[INFO]
[INFO] ---------------------< org.fluentd:fluent-logger >----------------------
[INFO] Building Fluent Logger for Java 0.3.5-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ fluent-logger ---
[INFO] org.fluentd:fluent-logger:jar:0.3.5-SNAPSHOT
[INFO] +- org.msgpack:msgpack:jar:0.6.8:compile
[INFO] | +- com.googlecode.json-simple:json-simple:jar:1.1.1:compile
[INFO] | \- org.javassist:javassist:jar:3.16.1-GA:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.6:compile
[INFO] +- ch.qos.logback:logback-classic:jar:1.1.1:test
[INFO] | \- ch.qos.logback:logback-core:jar:1.1.1:test
[INFO] \- junit:junit:jar:4.8.2:test
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.608 s
[INFO] Finished at: 2021-12-20T14:32:31+09:00
[INFO] ------------------------------------------------------------------------
Docker versions still contain log4j-core-2.11.1.jar
What does mean Docker versions
?
AFAIK fluent-logger-java is a library so that it's not distributed by Docker container without application.
It your application distributed by a Docker container has the issue, it's an issue of your application or Docker container.
from fluent-logger-java.
Hey @ashie, i only used unmodified docker versions of logstash and elasticsearch from docker.elastic.co. at least one of them in 6.8.21 and 7.16.1 still contained log4j-core 2.11.0.jar even if the class was extracted as per the proposed mitigation. I did not check other versions personally.
Even if the fix was the recommended mitigation, it's still just a mitigation, not a fix and doesn't pass security scanners.
Now 6.8.22 and 7.16.2 are completely fixed with log4j 2.17.0 so it's all good and really fixed.
from fluent-logger-java.
@ashie I thought this issue could be used to track mentioned logback issue. Since logback was a fork of log4j I thought that may be relevant.
from fluent-logger-java.
Related Issues (20)
- Bad thread interleaving may cause unexpected crash
- Current Error Handling does not return false on logging errors HOT 3
- NullPointerException when the Fluentd server is down
- API changes report for Fluent Logger HOT 1
- support fluentd with secure_forward HOT 1
- java.net.SocketException: Broken pipe HOT 4
- FluentLoggerFactory not invalidate cache after FluentLogger close
- Calling `.close()` does not clean up instance in `FluentLoggerFactory` HOT 2
- NPE in RawSocketSender HOT 1
- There is no way to set socket read timeout HOT 1
- Conflict with Spring cloud SpringApplication run
- Release 0.3.4? HOT 2
- Connection Reset on calling Fluentlogger.log() HOT 3
- Conflict with Spring Webflux
- How to pass credentials to connect remote fluentD aggregator HOT 1
- Null Pointer Exception with slf4j-log4j12-1.7.30 (Fluent-logger incompatible with the new version) HOT 3
- is this libarary can be used for fluent-bit? HOT 1
- Add Support For Unix Domain Sockets HOT 1
- Is this library still maintained?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fluent-logger-java.