dropping flawed log4j jar and improving config
authorChris Koeritz <fred@gruntose.com>
Fri, 10 Dec 2021 22:28:39 +0000 (17:28 -0500)
committerChris Koeritz <fred@gruntose.com>
Fri, 10 Dec 2021 22:28:39 +0000 (17:28 -0500)
the log4.properties now has mitigation of the bug spoken of here:
https://news.ycombinator.com/item?id=29507263

kona/lib/full_jar_list.txt [new file with mode: 0644]
kona/lib/log4j-1.2.16.jar [deleted file]
kona/log4j.properties

diff --git a/kona/lib/full_jar_list.txt b/kona/lib/full_jar_list.txt
new file mode 100644 (file)
index 0000000..06650da
--- /dev/null
@@ -0,0 +1,14 @@
+./commons-logging-api-1.1.1.jar
+./SizeOf.jar
+./commons-logging-1.1.1.jar
+./commons-logging-adapters-1.1.1.jar
+./log4j-1.2.16.jar
+./org.eclipse.osgi_3.8.0.v20120529-1548.jar
+./commons-compress-1.8.1.jar
+./commons-io-2.4.jar
+./ant-junit.jar
+./commons-logging-1.1.1-sources.jar
+./commons-logging-tests.jar
+./commons-logging-1.1.1-javadoc.jar
+./junit-4.5.jar
+./commons-lang3-3.5.jar
diff --git a/kona/lib/log4j-1.2.16.jar b/kona/lib/log4j-1.2.16.jar
deleted file mode 100644 (file)
index 3f9d847..0000000
Binary files a/kona/lib/log4j-1.2.16.jar and /dev/null differ
index ef68572b65c76408607be4c244913b2889f61fe8..361aa5781b229d18d89702c38c3fe27d85a4825e 100644 (file)
@@ -5,7 +5,9 @@ log4j.rootCategory=, TTY, LOGFILE
 log4j.appender.TTY=org.apache.log4j.ConsoleAppender\r
 log4j.appender.TTY.Threshold=DEBUG\r
 log4j.appender.TTY.layout=org.apache.log4j.PatternLayout\r
-log4j.appender.TTY.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p [%-28c{2}] - %m%n\r
+log4j.appender.TTY.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p [%-28c{2}] - %m{nolookups}%n\r
+\r
+#NOTE: vulnerability with bare percent m style: https://news.ycombinator.com/item?id=29507263\r
 \r
 # LOGFILE is set to be a RollingFileAppender using a PatternLayout.\r
 log4j.appender.LOGFILE=org.apache.log4j.RollingFileAppender\r
@@ -14,5 +16,5 @@ log4j.appender.LOGFILE.MaxFileSize=10MB
 log4j.appender.LOGFILE.MaxBackupIndex=10\r
 log4j.appender.LOGFILE.Threshold=DEBUG\r
 log4j.appender.LOGFILE.layout=org.apache.log4j.PatternLayout\r
-log4j.appender.LOGFILE.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p [%-28c{2}] - %m%n\r
+log4j.appender.LOGFILE.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p [%-28c{2}] - %m{nolookups}%n\r
 \r