Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

How do I check the version of log4j library version deployed in the Java runtime? #1923

Closed
pantdeepak opened this issue Oct 30, 2023 · 5 comments
Closed

How do I check the version of log4j library version deployed in the Java runtime? #1923

pantdeepak opened this issue Oct 30, 2023 · 5 comments
Assignees
@vy
Labels
bug Incorrect, unexpected, or unintended behavior of existing code
Milestone
2.22.0

Comments

@pantdeepak
Copy link

As clearly indicated in the Log4j support page, please use mailing lists for questions!

Up until version 2.20.0, I was able to use following method to check the version #.
org.apache.logging.log4j.LogManager.class.getPackage().getImplementationVersion()

Starting version 2.21.1 the above method returns null as I could not find "Implementation-Version" entry in the MANIFEST.MF file.
@rgoers
Copy link
Member

rgoers commented Oct 31, 2023 via email

@vy
Copy link
Member

vy commented Oct 31, 2023

@pantdeepak, thanks for the report, I am on it.

@rgoers, not by the CI release process, but the newly employed bnd-maven-plugin.

@vy vy self-assigned this Oct 31, 2023
@ppkarwasz
Copy link
Contributor

Generally speaking one can not expect Package#getImplementationVersion to return anything useful. This is based on an Oracle Java Product Versioning Specification, which even contains errors in it (like Package-Version instead of Implementation-Version). The Maven Archiver Plugin also does not fill these entries by default.

However, since Log4j used to provide the Specification-* and Implementation-* versions, we should probably restore them for backward compatibility.

Remark: if the purpose of this version check is a basic scan for vulnerable versions, I would rather parse the META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties resource, instead of relying on Package.

The presence of such a file is as "standard" as the Implementation-* headers (even more, since the Maven Archiver Plugin generates it by default) and the resource is usually copied in shaded artifacts.

Using this method you could find that the old pax-logging-log4j2 artifact is vulnerable to Log4Shell, while a Package.getImplementationVersion check will not discover anything.

vy added a commit that referenced this issue Oct 31, 2023
@vy
Add missing Implementation- and Specification- entries to `MANIFE…
40e59eb 
…ST.MF` (#1923)
@vy vy added this to the 2.22.0 milestone Oct 31, 2023
@vy vy added the bug Incorrect, unexpected, or unintended behavior of existing code label Oct 31, 2023
@vy vy mentioned this issue Oct 31, 2023
Closed
vy added a commit to apache/logging-parent that referenced this issue Oct 31, 2023
@vy
Add missing Implementation- and Specification- entries in `MANIFE…
a43a0b2 
…ST.MF` to `bnd-maven-plugin` configuration (apache/logging-log4j2#1923)
vy added a commit that referenced this issue Oct 31, 2023
@vy
Revert MANIFEST.MF fix, it will be packaged by logging-parent (#1923
cf0087a 
)
@vy
Copy link
Member

vy commented Oct 31, 2023

@pantdeepak, Log4j et al. is parented by logging-parent and I have fixed the problem there: apache/logging-parent@a43a0b2. logging-parent version 10.3.0 is expected to be released next week and promptly its version will be bumped for Log4j et al.

@vy vy closed this as completed Oct 31, 2023
@pantdeepak
Copy link
Author

Thank you very much for your prompt attention to this issue. Much appreciated.

@venusdrogon venusdrogon mentioned this issue Dec 19, 2023
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@vy vy

Labels
bug Incorrect, unexpected, or unintended behavior of existing code
Projects
None yet
Milestone
2.22.0
Development

No branches or pull requests
4 participants
@vy @rgoers @pantdeepak @ppkarwasz