Skip to content

Update or replace Log4J 1 library

Jump to bottom
Jody Garnett edited this page Feb 14, 2022 · 12 revisions

GeoServer presently uses the older Log4J 1 library which is no longer actively maintained. The recently reported security vulnerability for Log4J 2 (which we do not use) has brought this matter to public attention.

This maintenance activity is to upgrade or replace the log4j library:

  • GeoTools and GeoServer use the java utility logging (JUL) to bridge to log4j (or any other library).

    A LoggingFactory for log42, or replacement logging library, will be needed.

  • GeoWebCache uses commons-logging, not sure what kind of upgrade is needed here

  • GeoServer allows user to choose between log4j configuration files, wish to provide a smooth upgrade path, either through automatic compatibility, or through documentation.

    GeoServer UI re-configures log4j api directly at runtime, rather than requiring a restart.

  • There may be issues with other dependencies such as NetCDF.

Candidates:

  • Logback

    Proposal GSIP 209 - Replace Log4j 1.x with Logback work-in-progress.

    As an example spring uses commons-logging, defaults to logback, with slf4j adapters to catch any dependencies using log4j1, logj2, logbook, JUL).

    This looks to be an amazing upgrade from log4j1, even just for the stack traces with packaging data feature.

  • log4j2

    Proposal GSIP 167 - Log4j2 Upgrade updated with example log4j2 configuration files.

    If the log4j2 ability to load log4j1 configuration files works this approach offers minimal disruption for our users.

References:

Sponsors

Please see our Sponsor page for details on how to financially supporting this activity.

Our thanks to the following organizations:

Developers

If you have availability to work on this activity we welcome your participation:

  • If you have great idea on how to update or replace the log4j library, create a proposal!

  • Thanks to our sponsors the GeoServer PSC is in position to cover some of your time and expenses.
    Please include a quote as part of your proposal, we will do what we can.

  • Work is required across GeoServer, GeoTools and GeoWebCache codebase for this activity to be successful.

©2022 Open Source Geospatial Foundation

Home
Proposals
Release Schedule
Maintenance & Roadmap
Sponsor

Clone this wiki locally