On ma, 13 joulu 2021, GAURAV Pande via FreeIPA-users wrote:
below rpm is installed as a dependency for free IPA server install
version 4.6.8 on Oracle Linux 7 .
log4j-1.2.17-16.el7_4.noarch.rpm
can this be confirmed that it doesnt have any impact on the same ?
I don't use Oracle Linux 7.
Please read the following carefully.
On latest RHEL 7.9 log4j is pulled as a part of slf4j dependencies
through apache-commons-logging.
The way how slf4j is used by Dogtag is defined by /usr/share/pki/etc/logging.properties
-----------------------------------------------------------------------------
# grep -v '^#' /usr/share/pki/etc/logging.properties
java.util.logging.ConsoleHandler.level = ALL
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
java.util.logging.SimpleFormatter.format = %4$s: %5$s%6$s%n
.level = WARNING
.handlers = java.util.logging.ConsoleHandler
-----------------------------------------------------------------------------
Additionally, Dogtag uses /usr/share/pki/lib as a path where to look
Java libraries:
# rpm -qlv pki-base-java
drwxr-xr-x 2 root root 0 syys 15 21:18 /usr/share/java/pki
-rw-r--r-- 1 root root 682621 syys 15 21:18
/usr/share/java/pki/pki-certsrv.jar
-rw-r--r-- 1 root root 188108 syys 15 21:18
/usr/share/java/pki/pki-cmsutil.jar
-rw-r--r-- 1 root root 420890 syys 15 21:18
/usr/share/java/pki/pki-nsutil.jar
drwxr-xr-x 2 root root 0 syys 15 21:18
/usr/share/pki/examples/java
-rw-r--r-- 1 root root 2723 maalis 29 2020
/usr/share/pki/examples/java/CACertClientExample.java
-rw-r--r-- 1 root root 2964 maalis 29 2020
/usr/share/pki/examples/java/CAClientExample.java
drwxr-xr-x 2 root root 0 syys 15 21:18 /usr/share/pki/lib
lrwxrwxrwx 1 root root 31 syys 15 21:18
/usr/share/pki/lib/commons-cli.jar -> /usr/share/java/commons-cli.jar
lrwxrwxrwx 1 root root 33 syys 15 21:18
/usr/share/pki/lib/commons-codec.jar -> /usr/share/java/commons-codec.jar
lrwxrwxrwx 1 root root 38 syys 15 21:18
/usr/share/pki/lib/commons-httpclient.jar -> /usr/share/java/commons-httpclient.jar
lrwxrwxrwx 1 root root 30 syys 15 21:18
/usr/share/pki/lib/commons-io.jar -> /usr/share/java/commons-io.jar
lrwxrwxrwx 1 root root 32 syys 15 21:18
/usr/share/pki/lib/commons-lang.jar -> /usr/share/java/commons-lang.jar
lrwxrwxrwx 1 root root 35 syys 15 21:18
/usr/share/pki/lib/commons-logging.jar -> /usr/share/java/commons-logging.jar
lrwxrwxrwx 1 root root 45 syys 15 21:18
/usr/share/pki/lib/httpclient.jar -> /usr/share/java/httpcomponents/httpclient.jar
lrwxrwxrwx 1 root root 43 syys 15 21:18
/usr/share/pki/lib/httpcore.jar -> /usr/share/java/httpcomponents/httpcore.jar
lrwxrwxrwx 1 root root 44 syys 15 21:18
/usr/share/pki/lib/jackson-core-asl.jar ->
/usr/share/java/jackson/jackson-core-asl.jar
lrwxrwxrwx 1 root root 41 syys 15 21:18
/usr/share/pki/lib/jackson-jaxrs.jar -> /usr/share/java/jackson/jackson-jaxrs.jar
lrwxrwxrwx 1 root root 46 syys 15 21:18
/usr/share/pki/lib/jackson-mapper-asl.jar ->
/usr/share/java/jackson/jackson-mapper-asl.jar
lrwxrwxrwx 1 root root 42 syys 15 21:18
/usr/share/pki/lib/jackson-mrbean.jar -> /usr/share/java/jackson/jackson-mrbean.jar
lrwxrwxrwx 1 root root 41 syys 15 21:18
/usr/share/pki/lib/jackson-smile.jar -> /usr/share/java/jackson/jackson-smile.jar
lrwxrwxrwx 1 root root 38 syys 15 21:18
/usr/share/pki/lib/jackson-xc.jar -> /usr/share/java/jackson/jackson-xc.jar
lrwxrwxrwx 1 root root 28 syys 15 21:18
/usr/share/pki/lib/jaxb-api.jar -> /usr/share/java/jaxb-api.jar
lrwxrwxrwx 1 root root 22 syys 15 21:18
/usr/share/pki/lib/jss4.jar -> /usr/lib/java/jss4.jar
lrwxrwxrwx 1 root root 27 syys 15 21:18
/usr/share/pki/lib/ldapjdk.jar -> /usr/share/java/ldapjdk.jar
lrwxrwxrwx 1 root root 35 syys 15 21:18
/usr/share/pki/lib/pki-certsrv.jar -> /usr/share/java/pki/pki-certsrv.jar
lrwxrwxrwx 1 root root 35 syys 15 21:18
/usr/share/pki/lib/pki-cmsutil.jar -> /usr/share/java/pki/pki-cmsutil.jar
lrwxrwxrwx 1 root root 34 syys 15 21:18
/usr/share/pki/lib/pki-nsutil.jar -> /usr/share/java/pki/pki-nsutil.jar
lrwxrwxrwx 1 root root 33 syys 15 21:18
/usr/share/pki/lib/pki-tools.jar -> /usr/share/java/pki/pki-tools.jar
lrwxrwxrwx 1 root root 56 syys 15 21:18
/usr/share/pki/lib/resteasy-atom-provider.jar ->
/usr/share/java/resteasy-base/resteasy-atom-provider.jar
lrwxrwxrwx 1 root root 49 syys 15 21:18
/usr/share/pki/lib/resteasy-client.jar ->
/usr/share/java/resteasy-base/resteasy-client.jar
lrwxrwxrwx 1 root root 59 syys 15 21:18
/usr/share/pki/lib/resteasy-jackson-provider.jar ->
/usr/share/java/resteasy-base/resteasy-jackson-provider.jar
lrwxrwxrwx 1 root root 56 syys 15 21:18
/usr/share/pki/lib/resteasy-jaxb-provider.jar ->
/usr/share/java/resteasy-base/resteasy-jaxb-provider.jar
lrwxrwxrwx 1 root root 43 syys 15 21:18
/usr/share/pki/lib/resteasy-jaxrs-api.jar ->
/usr/share/java/resteasy-base/jaxrs-api.jar
lrwxrwxrwx 1 root root 55 syys 15 21:18
/usr/share/pki/lib/resteasy-jaxrs-jandex.jar ->
/usr/share/java/resteasy-base/resteasy-jaxrs-jandex.jar
lrwxrwxrwx 1 root root 48 syys 15 21:18
/usr/share/pki/lib/resteasy-jaxrs.jar ->
/usr/share/java/resteasy-base/resteasy-jaxrs.jar
lrwxrwxrwx 1 root root 27 syys 15 21:18
/usr/share/pki/lib/servlet.jar -> /usr/share/java/servlet.jar
lrwxrwxrwx 1 root root 35 syys 15 21:18
/usr/share/pki/lib/slf4j-api.jar -> /usr/share/java/slf4j/slf4j-api.jar
lrwxrwxrwx 1 root root 37 syys 15 21:18
/usr/share/pki/lib/slf4j-jdk14.jar -> /usr/share/java/slf4j/slf4j-jdk14.jar
Only slf4j-jdk14.jar is present there from SLF4J providers. This means
that even when log4j is installed on the system, it is not used by the
Dogtag components.
Regarding Tomcat, the instance configured by Dogtag uses log4j as log4j
is present there and is configured:
---------------------------------------------------------------
/var/lib/pki/pki-tomcat/lib:
drwxrwx---. 2 pkiuser pkiuser 4096 13.12. 08:53 .
drwxrwx---. 7 pkiuser pkiuser 146 13.12. 08:53 ..
lrwxrwxrwx. 1 pkiuser pkiuser 41 13.12. 08:53 annotations-api.jar ->
/usr/share/tomcat/lib/annotations-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser 38 13.12. 08:53 catalina-ant.jar ->
/usr/share/tomcat/lib/catalina-ant.jar
lrwxrwxrwx. 1 pkiuser pkiuser 37 13.12. 08:53 catalina-ha.jar ->
/usr/share/tomcat/lib/catalina-ha.jar
lrwxrwxrwx. 1 pkiuser pkiuser 34 13.12. 08:53 catalina.jar ->
/usr/share/tomcat/lib/catalina.jar
lrwxrwxrwx. 1 pkiuser pkiuser 41 13.12. 08:53 catalina-tribes.jar ->
/usr/share/tomcat/lib/catalina-tribes.jar
lrwxrwxrwx. 1 pkiuser pkiuser 45 13.12. 08:53 commons-collections.jar ->
/usr/share/tomcat/lib/commons-collections.jar
lrwxrwxrwx. 1 pkiuser pkiuser 38 13.12. 08:53 commons-dbcp.jar ->
/usr/share/tomcat/lib/commons-dbcp.jar
lrwxrwxrwx. 1 pkiuser pkiuser 38 13.12. 08:53 commons-pool.jar ->
/usr/share/tomcat/lib/commons-pool.jar
lrwxrwxrwx. 1 pkiuser pkiuser 28 13.12. 08:53 extras -> /usr/share/tomcat/lib/extras
lrwxrwxrwx. 1 pkiuser pkiuser 35 13.12. 08:53 jasper-el.jar ->
/usr/share/tomcat/lib/jasper-el.jar
lrwxrwxrwx. 1 pkiuser pkiuser 32 13.12. 08:53 jasper.jar ->
/usr/share/tomcat/lib/jasper.jar
lrwxrwxrwx. 1 pkiuser pkiuser 36 13.12. 08:53 jasper-jdt.jar ->
/usr/share/tomcat/lib/jasper-jdt.jar
lrwxrwxrwx. 1 pkiuser pkiuser 31 13.12. 08:53 log4j.jar ->
/usr/share/tomcat/lib/log4j.jar
lrwxrwxrwx. 1 pkiuser pkiuser 43 13.12. 08:53 log4j.properties ->
/usr/share/pki/server/conf/log4j.properties
lrwxrwxrwx. 1 pkiuser pkiuser 43 13.12. 08:53 tomcat7-websocket.jar ->
/usr/share/tomcat/lib/tomcat7-websocket.jar
lrwxrwxrwx. 1 pkiuser pkiuser 36 13.12. 08:53 tomcat-api.jar ->
/usr/share/tomcat/lib/tomcat-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser 39 13.12. 08:53 tomcat-coyote.jar ->
/usr/share/tomcat/lib/tomcat-coyote.jar
lrwxrwxrwx. 1 pkiuser pkiuser 43 13.12. 08:53 tomcat-el-2.2-api.jar ->
/usr/share/tomcat/lib/tomcat-el-2.2-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser 40 13.12. 08:53 tomcat-i18n-es.jar ->
/usr/share/tomcat/lib/tomcat-i18n-es.jar
lrwxrwxrwx. 1 pkiuser pkiuser 40 13.12. 08:53 tomcat-i18n-fr.jar ->
/usr/share/tomcat/lib/tomcat-i18n-fr.jar
lrwxrwxrwx. 1 pkiuser pkiuser 40 13.12. 08:53 tomcat-i18n-ja.jar ->
/usr/share/tomcat/lib/tomcat-i18n-ja.jar
lrwxrwxrwx. 1 pkiuser pkiuser 37 13.12. 08:53 tomcat-jdbc.jar ->
/usr/share/tomcat/lib/tomcat-jdbc.jar
lrwxrwxrwx. 1 pkiuser pkiuser 44 13.12. 08:53 tomcat-jsp-2.2-api.jar ->
/usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser 37 13.12. 08:53 tomcat-juli.jar ->
/usr/share/tomcat/lib/tomcat-juli.jar
lrwxrwxrwx. 1 pkiuser pkiuser 48 13.12. 08:53 tomcat-servlet-3.0-api.jar ->
/usr/share/tomcat/lib/tomcat-servlet-3.0-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser 37 13.12. 08:53 tomcat-util.jar ->
/usr/share/tomcat/lib/tomcat-util.jar
lrwxrwxrwx. 1 pkiuser pkiuser 39 13.12. 08:53 websocket-api.jar ->
/usr/share/tomcat/lib/websocket-api.jar
---------------------------------------------------------------
---------------------------------------------------------------
# grep -v '^#' /var/lib/pki/pki-tomcat/lib/log4j.properties
log4j.appender.console = org.apache.log4j.ConsoleAppender
log4j.appender.console.Target = System.err
log4j.appender.console.layout = org.apache.log4j.PatternLayout
log4j.appender.console.layout.ConversionPattern = %p: %m%n
log4j.rootLogger = WARN, console
---------------------------------------------------------------
According to pki-server-logging man page:
--------------------------------------
Log4j
The default Tomcat 7 classpath does include Log4j, but
the server itself is not configured to use Log4j for logging by
default. However, since the Log4j is in the classpath the
RESTEasy will use Log4j for logging automatically (see
https://docs.jboss.org/resteasy/docs/3.0.6.Final/userguide/html/Installat...).
The default Log4j configuration is located at
/usr/share/pki/server/conf/log4j.properties. During server
deployment a link will be created at
/var/lib/pki/<instance>/lib/log4j.properties.
By default only log messages with level WARN or higher will be
logged on the console (i.e. systemd journal).
log4j.appender.console = org.apache.log4j.ConsoleAppender
log4j.appender.console.Target = System.err
log4j.appender.console.layout = org.apache.log4j.PatternLayout
log4j.appender.console.layout.ConversionPattern = %p: %m%n
log4j.rootLogger = WARN, console
The default Tomcat 8 classpath does not include Log4j, so RESTEasy will use JUL
instead.
For more information see the following documents:
-
http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/ConsoleAppen...
-
http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/Level.html
-
http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/PatternLayou...
--------------------------------------
So the easest way to mitigate log4j usage is to remove log4j.properties
symlink in the instance directory to avoid loading log4j by tomcat and
RESTEasy.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland