log4j 1.2.16 JMSAppender.class

Miten Mehta

unread,

Jun 6, 2023, 8:28:00 AM6/6/23

to Repo and Gerrit Discussion

Hi,

I have gerrit 2.8.1 and it was reported by nessus scan for log4j 1.2.16 to have org/apache/log4j/net/JMSAppender.class which I tried deleting from the jar and repacking war and running it but gives error for ClassNotFoundException for some com.google.gerrit.server.util.PluginLogFile and fails to start gerrit process.

I cannot upgrade gerrit version so looking for fix. I read on log4j web page it has 1 option to use bridge will it fix above finding ? second option not sure since seems to have config changes etc.

Regards,

Miten.

Matthias Sohn

unread,

Jun 6, 2023, 4:21:34 PM6/6/23

to Miten Mehta, Repo and Gerrit Discussion

You are running a 9 year old release which is EOL since a long time.

The versions which were supported when log4shell hit the fan were updated to use reload4j.

See https://reload4j.qos.ch/

You should upgrade to a supported version asap.

Supported versions are currently 3.6, 3.7 and 3.8, see https://www.gerritcodereview.com/support.html.

-Matthias

Luca Milanesio

unread,

Jun 6, 2023, 6:41:09 PM6/6/23

to Repo and Gerrit Discussion, Luca Milanesio, Miten Mehta, Matthias Sohn

On 6 Jun 2023, at 21:20, Matthias Sohn <matthi...@gmail.com> wrote:

On Tue, Jun 6, 2023 at 2:28 PM Miten Mehta <india...@gmail.com> wrote:
Hi,

I have gerrit 2.8.1 and it was reported by nessus scan for log4j 1.2.16 to have org/apache/log4j/net/JMSAppender.class which I tried deleting from the jar and repacking war and running it but gives error for ClassNotFoundException for some com.google.gerrit.server.util.PluginLogFile and fails to start gerrit process.

I cannot upgrade gerrit version so looking for fix.

Why? What is the problem you are facing with the upgrade? Do you run a plain-vanilla Gerrit or a fork?

Your version is very old, however, you could look for additional professional support (see Enterprise Support at [1]) for helping you with the migration path.

HTH

Luca.

[1] https://www.gerritcodereview.com/support.html#enterprise-support

I read on log4j web page it has 1 option to use bridge will it fix above finding ? second option not sure since seems to have config changes etc.

You are running a 9 year old release which is EOL since a long time.
The versions which were supported when log4shell hit the fan were updated to use reload4j.
See https://reload4j.qos.ch/

You should upgrade to a supported version asap.
Supported versions are currently 3.6, 3.7 and 3.8, see https://www.gerritcodereview.com/support.html.

-Matthias

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/CAKSZd3R4w3%3DzD5y6zbV%2B%3D2VednOLseFY%3DTEuO8PSjvLubB6nGA%40mail.gmail.com.

Reply all

Reply to author

Forward