So what next, what I should do exactly now ? -----Original Message----- From: Ralph Goers <ralph.go...@dslextreme.com> Sent: Saturday, April 22, 2023 4:32 AM To: dev@logging.apache.org Cc: Gurumoorthi Vijayalingam <gvijayalin...@simeio.com> Subject: Re: [External] Re: Log4j Issue
CAUTION: This message was sent from outside of the company. Please do not click links or open attachments unless you recognize the source of this email and know the content is safe. Note that he may also have a shaded jar that has Log4j embedded in it. That would be impossible for us to know without personally inspecting the deployment. Ralph > On Apr 21, 2023, at 12:51 PM, Christian Grobmeier <grobme...@apache.org> > wrote: > > Hello Guru, > > the only way to have this issue is with an outdated version of log4j on your > classpath. > Can you check what classpath is being used in your container? There may be an > additional classpath that we are not aware of. > > Could you let us know the full setup of your machine, in example: > - exact version of tomcat > - how do you deploy things > - have you probably included log4j in other components (fat jar) > - what is the classpath definition of your application? > > I know this is many things to ask, but the assumption is still there are two > different versions of log4j on your classpath. That's what I would check. > > Kind regards, > Christian > > > On Fri, Apr 21, 2023, at 13:53, Gurumoorthi Vijayalingam wrote: >> No, we are not deploying as war file. And the application /lib >> currently having followed log4j files. >> >> >> -rw-r-----. 1 fruser fruser 16431 Aug 25 2022 jcl-over-slf4j-1.7.21.jar >> -rw-r-----. 1 fruser fruser 4597 Aug 25 2022 jul-to-slf4j-1.7.21.jar >> -rw-r-----. 1 fruser fruser 41071 Aug 25 2022 slf4j-api-1.7.21.jar >> -rw-r-----. 1 fruser fruser 16831 Aug 25 2022 i18n-slf4j-1.4.4.jar >> -rwxr-xr-x. 1 fruser fruser 301872 Mar 2 17:28 log4j-api-2.17.1.jar >> -rwxr-xr-x. 1 fruser fruser 1790452 Mar 2 17:28 >> log4j-core-2.17.1.jar >> >> Regards, >> Guru. >> >> -----Original Message----- >> From: Christian Grobmeier <grobme...@apache.org> >> Sent: Friday, April 21, 2023 4:55 PM >> To: Gurumoorthi Vijayalingam <gvijayalin...@simeio.com>; >> dev@logging.apache.org >> Subject: Re: [External] Re: Log4j Issue >> >> CAUTION: This message was sent from outside of the company. Please do >> not click links or open attachments unless you recognize the source >> of this email and know the content is safe. >> >> >> Are you deploying your application as a war file? If so, can you >> unzip that war file and search for log4j there? >> >> -- >> The Apache Software Foundation >> V.P., Data Privacy >> >> On Fri, Apr 21, 2023, at 13:21, Gurumoorthi Vijayalingam wrote: >>> No, am not able to find log4j version in tomcat lib folder. The >>> problem occurred when we upgraded the jar files from 2.2 t o2.17 >>> >>> >>> Regards, >>> Guru. >>> >>> -----Original Message----- >>> From: Christian Grobmeier <grobme...@apache.org> >>> Sent: Friday, April 21, 2023 4:36 PM >>> To: Gurumoorthi Vijayalingam <gvijayalin...@simeio.com>; >>> dev@logging.apache.org >>> Subject: Re: [External] Re: Log4j Issue >>> >>> CAUTION: This message was sent from outside of the company. Please >>> do not click links or open attachments unless you recognize the >>> source of this email and know the content is safe. >>> >>> >>> Hello Gurumoorthi, >>> >>> please subscribe to dev@logging.apache.org by sending an empty >>> message to dev-subscr...@logging.apache.org. >>> It is hard for our message moderators to manually moderate your >>> messages through. >>> >>> You need to find the log4j version of Tomcat. Please search for this. >>> it could be in the lib folder of Tomcat. >>> >>> You can also search the whole installation of Tomcat for "log4j" or >>> "log4j-core-2.2.jar", then you should find it. >>> >>> Kind regards, >>> Christian >>> >>> >>> -- >>> The Apache Software Foundation >>> V.P., Data Privacy >>> >>> On Fri, Apr 21, 2023, at 12:51, Gurumoorthi Vijayalingam wrote: >>>> Any help on this request ? we stuck. >>>> >>>> -----Original Message----- >>>> From: Gurumoorthi Vijayalingam >>>> Sent: Thursday, April 13, 2023 7:36 AM >>>> To: Christian Grobmeier <grobme...@apache.org>; >>>> dev@logging.apache.org >>>> Subject: RE: [External] Re: Log4j Issue >>>> >>>> Hi Team, >>>> >>>> We tried the steps as Christian mentioned in below email, but still >>>> getting same error. Please help us to fix this issue >>>> >>>> Thanks, >>>> Guru. >>>> >>>> -----Original Message----- >>>> From: Christian Grobmeier <grobme...@apache.org> >>>> Sent: Tuesday, March 21, 2023 2:17 AM >>>> To: Gurumoorthi Vijayalingam <gvijayalin...@simeio.com>; >>>> dev@logging.apache.org >>>> Cc: Paolo Gil Ostrea <post...@simeio.com>; Roark Hamilton >>>> <rhamil...@simeio.com>; Bhavana Pujari <bapuj...@simeio.com>; >>>> Sireesha Kutala <skut...@simeio.com> >>>> Subject: Re: [External] Re: Log4j Issue >>>> >>>> CAUTION: This message was sent from outside of the company. Please >>>> do not click links or open attachments unless you recognize the >>>> source of this email and know the content is safe. >>>> >>>> >>>> Hello Gurumoorthi, >>>> >>>> Piotr already responded to your email: >>>> >>>>> MapLookup#newMap changed from private (as in 2.2) to package (as >>>>> in >>>>> 2.17.1) in the course of history. Your Tomcat is picking up the >>>>> private one, which means that log4j-core-2.2.jar is still on the >>>>> classpath. >>>>> Double check that the old Log4j2 version are no longer there and >>>>> restart Tomcat to be sure. >>>>> >>>>> Piotr >>>> >>>> If this information does not help you, respond to >>>> dev@logging.apache.org as Dominik told you. >>>> >>>> Kind regards, >>>> Christian >>>> >>>> >>>> -- >>>> The Apache Software Foundation >>>> V.P., Data Privacy >>>> >>>> On Mon, Mar 20, 2023, at 17:27, Gurumoorthi Vijayalingam wrote: >>>>> Hi Team, >>>>> >>>>> Can you please help us to fix this issue. >>>>> >>>>> Regards, >>>>> Guru. >>>>> >>>>> From: Dominik Psenner <dpsen...@gmail.com> >>>>> Sent: 04 March 2023 02:16 >>>>> To: secur...@logging.apache.org >>>>> Cc: Paolo Gil Ostrea <post...@simeio.com>; Roark Hamilton >>>>> <rhamil...@simeio.com>; Gurumoorthi Vijayalingam >>>>> <gvijayalin...@simeio.com> >>>>> Subject: [External] Re: Log4j Issue >>>>> >>>>> CAUTION: This message was sent from outside of the company. Please >>>>> do not click links or open attachments unless you recognize the >>>>> source of this email and know the content is safe. >>>>> >>>>> Hi >>>>> >>>>> I'm CCing the original author of the message. Please read below. >>>>> Further please consider posting to the proper mailing list. The >>>>> request is not about a security issue and probably should have >>>>> been posted to >>>>> dev@logging.apache.org<mailto:dev@logging.apache.org> >>>>> after subscribing to that mailing list. >>>>> >>>>> Warm regards >>>>> Dominik >>>>> -- >>>>> Sent from my phone. Typos are a kind gift to anyone who happens to find >>>>> them. >>>>> >>>>> On Fri, Mar 3, 2023, 21:17 Piotr P. Karwasz >>>>> <piotr.karw...@gmail.com<mailto:piotr.karw...@gmail.com>> wrote: >>>>> Gurumoorthi, >>>>> >>>>> On Fri, 3 Mar 2023 at 19:04, Gurumoorthi Vijayalingam >>>>> <gvijayalin...@simeio.com<mailto:gvijayalin...@simeio.com>> wrote: >>>>>> Just attached the error message and log4j configuration for your >>>>>> reference. >>>>> >>>>> MapLookup#newMap changed from private (as in 2.2) to package (as >>>>> in >>>>> 2.17.1) in the course of history. Your Tomcat is picking up the >>>>> private one, which means that log4j-core-2.2.jar is still on the >>>>> classpath. >>>>> Double check that the old Log4j2 version are no longer there and >>>>> restart Tomcat to be sure. >>>>> >>>>> Piotr
