The error from the first attempt looks like it's because you didn't include the log4j2 jar that provides the 1.2 compatibility API. Honestly, I'm not sure how well that would have worked anyway.
Using reload4j is a good idea, but you don't need to update slf4j to 2 to use that. You can just leave it at 1.7 and swap out the log4j 1.2 jar with reload4j's jar. The second error looks like you didn't include reload4j, only the slf4j 2.0.7 API and reload4j bridge. You still need to include reload4j itself. It's not automatically included with the slf4j-reload4j bridge. You're also including log4j2 jars... which are probably pointless if you're using reload4j and not using log4j2-slf4j2-impl. Consider downloading the latest ZK 3.6 and comparing it's lib directory with what you're trying to do with 3.5.9. I believe the latest 3.6 version uses reload4j, and should be able to use that as a guide. On Mon, Apr 17, 2023, 13:13 Priyadharsini V <priyadharsin...@cohesity.com.invalid> wrote: > Hi, > > We are using zookeeper 3.5.9 version > http://archive.apache.org/dist/zookeeper/zookeeper-3.5.9/ > and we would like to patch the log4j vulnerabilities. > > Can someone please help with this? *Unfortunately we have a dependency with > this particular version and cannot upgrade to a new version as of now. * > > I have tried to upgrade log4j-1.2.17.jar with log4j-core-2.17.0.jar and > log4j-api-2.17.0.jar. But faced these errors > > ZooKeeper JMX enabled by default > Using config: /conf/zoo.cfg > Failed to instantiate SLF4J LoggerFactory > Reported exception: > java.lang.NoClassDefFoundError: org/apache/log4j/Level > > I have also tried to add reload jar > > # Fixing Log4j vulnerabilities > RUN rm /zookeeper-3.5.9/lib/log4j-1.2.17* > RUN rm /zookeeper-3.5.9/lib/slf4j* > RUN wget > > https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.20.0/log4j-core-2.20.0.jar > -P > <https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.20.0/log4j-core-2.20.0.jar-P> > /zookeeper-3.5.9/lib/ > RUN wget > > https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.20.0/log4j-api-2.20.0.jar > -P > <https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.20.0/log4j-api-2.20.0.jar-P> > /zookeeper-3.5.9/lib/ > RUN wget > > https://repo1.maven.org/maven2/org/slf4j/slf4j-api/2.0.7/slf4j-api-2.0.7.jar > -P /zookeeper-3.5.9/lib/ > RUN wget > > https://repo1.maven.org/maven2/org/slf4j/slf4j-reload4j/2.0.7/slf4j-reload4j-2.0.7.jar > -P /zookeeper-3.5.9/lib/ > > *Error:* > > ZooKeeper JMX enabled by default > Using config: /conf/zoo.cfg > SLF4J: A SLF4J service provider failed to instantiate: > org.slf4j.spi.SLF4JServiceProvider: Provider > org.slf4j.reload4j.Reload4jServiceProvider could not be instantiated > SLF4J: No SLF4J providers were found. > SLF4J: Defaulting to no-operation (NOP) logger implementation > SLF4J: See https://www.slf4j.org/codes.html#noProviders for further > details > > Can someone please help with this?? > > Thanks, > > Priya >
