Joachim Durchholz created SLF4J-491:
---------------------------------------
Summary: Deprecate or remove slf4j-log4j12
Key: SLF4J-491
URL: https://jira.qos.ch/browse/SLF4J-491
Project: SLF4J
Issue Type: Task
Components: Implementations
Reporter: Joachim Durchholz
Assignee: SLF4J developers list
[http://logging.apache.org/log4j/1.2/index.html] states that log4j 1.2 has an
unresolved security hole (unvalidated deserialization, remotely exploitable
without authorization).
_Java 9 having a different version string format broke log4j's version string
parsing, introducing bugs into its MDC implementation, but that's much less
important._
Options for the documentation:
# Add a warning to the SLF4J manual that slf4j-log4j12 should not be used
anymore.
# Remove mentions of slf4j-log4j12 entirely.
Options for the code:
Since slf4j-log4j12 cannot be removed from Maven repositories, a new version
that warns about the issue should be released:
# Make it output an ERROR, stating "log4j 1.2 has an unfixed security hole;
your application can be hacked by anybody with network access (CVE-2019-17571).
Migrate to another logging backend as soon as possible."
# As above, but make it abort startup. (That's probably too much, there could
be edge cases where an organization cannot migrate and cannot downgrade back to
a previous, working slkf4j-log4j12.)
--
This message was sent by Atlassian Jira
(v8.8.0#808000)
_______________________________________________
slf4j-dev mailing list
slf4j-dev@qos.ch
http://mailman.qos.ch/mailman/listinfo/slf4j-dev
