You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "Matt Sicker (Jira)" <ji...@apache.org> on 2022/01/17 20:48:00 UTC
[jira] [Updated] (LOG4J2-3232) Log4j 3.0 - Better Java SE modules dependency
[ https://issues.apache.org/jira/browse/LOG4J2-3232?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matt Sicker updated LOG4J2-3232:
--------------------------------
Epic Link: LOG4J2-2226
> Log4j 3.0 - Better Java SE modules dependency
> ---------------------------------------------
>
> Key: LOG4J2-3232
> URL: https://issues.apache.org/jira/browse/LOG4J2-3232
> Project: Log4j 2
> Issue Type: New Feature
> Components: Core
> Affects Versions: 2.16.0
> Reporter: Bruno Borges
> Priority: Major
>
> Due to its legacy pre-Java 9 JPMS era, Log4j 2 Core currently has strong dependencies to 'java.desktop' and 'java.management' modules. Log4j 2 Core breaks and does not work properly without these two modules.
> Module 'java.naming' is referenced but optional for proper runtime operation. The RCE vulnerability reported in December 2021 towards Log4j 2.x can be mitigated in any Java 9+ version as long the runtime had been assembled with jlink and excluding 'java.naming' module.
> As Log4j is reimagined for a 3.0 major new release, it would be recommended to have a Core module that relies solely on 'java.base' and 'java.logging', while separating/publishing different functionalities as separate artifacts/modules, so users can consume them on-demand.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)