You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Ralph Goers (Jira)" <ji...@apache.org> on 2022/01/17 21:13:00 UTC

[jira] [Commented] (LOG4J2-3232) Log4j 3.0 - Better Java SE modules dependency

    [ https://issues.apache.org/jira/browse/LOG4J2-3232?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17477419#comment-17477419 ] 

Ralph Goers commented on LOG4J2-3232:
-------------------------------------

This should really just be closed as a duplicate. This work has been going on for quite a while and is about 80% done.

> Log4j 3.0 - Better Java SE modules dependency
> ---------------------------------------------
>
>                 Key: LOG4J2-3232
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3232
>             Project: Log4j 2
>          Issue Type: New Feature
>          Components: Core
>    Affects Versions: 2.16.0
>            Reporter: Bruno Borges
>            Priority: Major
>
> Due to its legacy pre-Java 9 JPMS era, Log4j 2 Core currently has strong dependencies to 'java.desktop' and 'java.management' modules. Log4j 2 Core breaks and does not work properly without these two modules.
> Module 'java.naming' is referenced but optional for proper runtime operation. The RCE vulnerability reported in December 2021 towards Log4j 2.x can be mitigated in any Java 9+ version as long the runtime had been assembled with jlink and excluding 'java.naming' module.
> As Log4j is reimagined for a 3.0 major new release, it would be recommended to have a Core module that relies solely on 'java.base' and 'java.logging', while separating/publishing different functionalities as separate artifacts/modules, so users can consume them on-demand.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)