Hi All,
As you might all have heard, some versions of log4j, including 1.x and 2.x
have been exposed to remote code execution attacks [1], and the
recommendation to avoid this is to upgrade log4j to v2.16.0. Currently,
Airavata is running on log4j 1.x, and this [2] pull request should migrate
the entire project. to 2.16.0. I have scanned all the dependencies and
excluded log4j 1.x related artifacts at the definition level. Any library
that depends on log4j 1.x now routes logs through log4j-1.2-api bridge to
log4j 2.16.0. If you are adding a new module or dependency to the project
in the future, please make sure that following steps are covered.
1. Do not add any log4j related dependency to any module. All are loaded at
the main pom level so you can use it.
2. If you are adding a new dependency, make sure that it does not include
any log4j dependency in to the project. If it does, exclude it at the
definition level. Example - [3] . You can scan derived dependencies by
running mvn dependency:tree | grep log4j
3. Always use slf4j logging API to add logs in to the code
[1] https://www.lunasec.io/docs/blog/log4j-zero-day/
[2] https://github.com/apache/airavata/pull/275/files
[3]
https://github.com/apache/airavata/pull/275/files#diff-d5149326cfe403e4106239a432c405d04be11f1588a3d566526b4ce547fcea0bR111
Thanks
Dimuthu
