2.15.0
- Release date
-
2021-12-06
This release contains a number of bug fixes and minor enhancements which are listed below.
The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.15.0.
Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution. Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects by default served on the local host.
One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. As of Log4j 2.15.0 this feature is now disabled by default. While an option has been provided to enable Lookups in this fashion, users are strongly discouraged from enabling it.
Users who cannot upgrade to 2.15.0 can mitigate the exposure by:
-
Users of Log4j 2.10 or greater may add
-Dlog4j.formatMsgNoLookups=true
as a command line option or addlog4j.formatMsgNoLookups=true
to alog4j2.component.properties
file on the classpath to prevent lookups in log event messages. -
Users since Log4j 2.7 may specify
%{nolookups}
in thePatternLayout
configuration to prevent lookups in log event messages. -
Remove the
JndiLookup
andJndiManager
classes from thelog4j-core
JAR. Removal of theJndiManager
will cause theJndiContextSelector
andJMSAppender
to no longer function.
Due to a break in compatibility in the SLF4J binding, Log4j now ships with two versions of the SLF4J to Log4j adapters.
log4j-slf4j-impl
should be used with SLF4J 1.7.x and earlier and log4j-slf4j18-impl
should be used with SLF4J 1.8.x and later.
SLF4J-2.0.0 alpha releases are not fully supported.
See LOG4J2-2975 and SLF4J-511.
Some of the new features in Log4j 2.15.0 include:
-
Support for Arbiters, which are conditionals that can enable sections of the logging configuration for inclusion or exclusion. In particular,
SpringProfile
,SystemProperty
, Script, and Class Arbiters have been provided that use the Spring profile, System property, the result of a script, or the presence of a class respectively to determine whether a section of configuration should be included. -
Support for Jakarta EE 9. This is functionally equivalent to Log4j’s
log4j-web
module but uses the Jakarta project. -
Various performance improvements.
Key changes to note:
-
Prior to this release Log4j would automatically resolve Lookups contained in the message or its parameters in the Pattern Layout. This behavior is no longer the default and must be enabled by specifying
%msg{lookup}
. -
The JNDI Lookup has been restricted to only support the java, ldap, and ldaps protocols by default. LDAP also no longer supports classes that implement the
Referenceable
interface and restricts the Serializable classes to the Java primitive classes by default and requires an allow list to be specified to access remote LDAP servers.
The Log4j 2.15.0 API, as well as many core components, maintains binary compatibility with previous releases.
Apache Log4j 2.15.0 requires a minimum of Java 8 to build and run. Log4j 2.12.1 is the last release to support Java 7. Java 7 is no longer supported by the Log4j team.
For complete information on Apache Log4j 2, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Log4j 2 website.
Added
-
Add support for US-style date patterns and micro/nano seconds to FixedDateTime. (LOG4J2-2885)
-
Add BasicAsyncLoggerContextSelector equivalent to AsyncLoggerContextSelector for applications with a single LoggerContext. This selector avoids classloader lookup overhead incurred by the existing AsyncLoggerContextSelector. (LOG4J2-2940)
-
Context selectors are aware of their dependence upon the callers ClassLoader, allowing basic context selectors to avoid the unnecessary overhead of walking the stack to determine the caller’s ClassLoader. (LOG4J2-2940)
-
Add support for Jakarta EE 9 (Tomcat 10 / Jetty 11) (LOG4J2-2978)
-
Add plugin support to JsonTemplateLayout. (LOG4J2-3004)
-
Allow a PatternSelector to be specified on GelfLayout. (LOG4J2-3041)
-
Add RepeatPatternConverter. (LOG4J2-3044)
-
Add improved MapMessage support to GelfLayout. (LOG4J2-3048)
-
Allow MapMessage and ThreadContext attributes to be prefixed. (LOG4J2-3049)
-
Allow AdditionalFields to be ignored if their value is null or a zero-length String. (LOG4J2-3050)
-
Add CaseConverterResolver to JsonTemplateLayout. (LOG4J2-3051)
-
Refactor MD5 usage for sharing sensitive information. (LOG4J2-3056)
-
Add Arbiters and SpringProfile plugin. (LOG4J2-3064)
-
Add CounterResolver to JsonTemplateLayout. (LOG4J2-3067)
-
Add replacement parameter to ReadOnlyStringMapResolver. (LOG4J2-3074)
-
Add JsonTemplateLayout for Google Cloud Platform structured logging layout. (LOG4J2-3116)
-
Add missing slf4j-api singleton accessors to log4j-slf4j-impl (1.7) StaticMarkerBinder and StaticMDCBinder. This doesn’t impact behavior or correctness, but avoids throwing and catching NoSuchMethodErrors when slf4j is initialized and avoids linkage linting warnings. (LOG4J2-3133)
-
Avoid ThreadLocal overhead in RandomAccessFileAppender, RollingRandomAccessFileManager, and MemoryMappedFileManager due to the unused setEndOfBatch and isEndOfBatch methods. The methods on LogEvent are preferred. (LOG4J2-3141)
-
Prefer string.getBytes(Charset) over string.getBytes(String) based on performance improvements in modern Java releases. (LOG4J2-3144)
-
Make CRLF/HTML encoding run in O(n) worst-case time, rather than O(n^2). (LOG4J2-3170)
-
Improve PatternLayout performance by reducing unnecessary indirection and branching. (LOG4J2-3171)
-
Improve NameAbbreviator worst-case performance. (LOG4J2-3189)
-
Allow fractional attributes for size attribute of SizeBasedTriggeringPolicy. (LOG4J2-3194)
-
Pattern layout no longer enables lookups within message text by default for cleaner API boundaries and reduced formatting overhead. The old 'log4j2.formatMsgNoLookups' which enabled this behavior has been removed as well as the 'nolookups' message pattern converter option. The old behavior can be enabled on a per-pattern basis using '%m{lookups}'. (LOG4J2-3198)
Changed
-
Handle interrupted exceptions that occur during rollover. (LOG4J2-1798)
-
Provide support for overriding the Tomcat Log class in Tomcat 8.5+. (LOG4J2-2025)
-
Minor documentation corrections regarding log levels. (LOG4J2-2540)
-
Minor documentation corrections in the configuration section. (LOG4J2-2541)
-
Correct documentation for SyslogAppender when using TLS. (LOG4J2-2553)
-
Log4j 1.x properties were not being substituted. (LOG4J2-2951)
-
Fix Log Event Level vs Logger Config Level table. (LOG4J2-3166)
-
Update Spring framework to 5.3.13, Spring Boot to 2.5.7, and Spring Cloud to 2020.0.4.
-
Updated dependencies. - com.fasterxml.jackson.core:jackson-annotations …………….. 2.12.2 → 2.12.4 - com.fasterxml.jackson.core:jackson-core …………………… 2.12.2 → 2.12.4 - com.fasterxml.jackson.core:jackson-databind ……………….. 2.12.2 → 2.12.4 - com.fasterxml.jackson.dataformat:jackson-dataformat-xml …….. 2.12.2 → 2.12.4 - com.fasterxml.jackson.dataformat:jackson-dataformat-yaml ……. 2.12.2 → 2.12.4 - com.fasterxml.jackson.module:jackson-module-jaxb-annotations … 2.12.2 → 2.12.4 - com.fasterxml.woodstox:woodstox-core ……………………… 6.2.4 → 6.2.6 - commons-io:commons-io …………………………………… 2.8.0 → 2.11.0 - net.javacrumbs.json-unit:json-unit ……………………….. 2.24.0 → 2.25.0 - net.javacrumbs.json-unit:json-unit ……………………….. 2.25.0 → 2.27.0 - org.apache.activemq:activemq-broker ………………………. 5.16.1 → 5.16.2 - org.apache.activemq:activemq-broker ………………………. 5.16.2 → 5.16.3 - org.apache.commons:commons-compress ………………………. 1.20 → 1.21 - org.apache.commons:commons-csv …………………………… 1.8 → 1.9.0 - org.apache.commons:commons-dbcp2 …………………………. 2.8.0 → 2.9.0 - org.apache.commons:commons-pool2 …………………………. 2.9.0 → 2.11.1 - org.apache.maven.plugins:maven-failsafe-plugin …………….. 2.22.2 → 3.0.0-M5 - org.apache.maven.plugins:maven-surefire-plugin …………….. 2.22.2 → 3.0.0-M5 - org.apache.rat:apache-rat-plugin …………………………. 0.12 → 0.13 - org.assertj:assertj-core ………………………………… 3.19.0 → 3.20.2 - org.codehaus.groovy:groovy-dateutil ………………………. 3.0.7 → 3.0.8 - org.codehaus.groovy:groovy-jsr223 ………………………… 3.0.7 → 3.0.8 - org.codehaus.plexus:plexus-utils …………………………. 3.3.0 → 3.4.0 - org.eclipse.persistence:javax.persistence …………………. 2.1.1 → 2.2.1 - org.eclipse.persistence:org.eclipse.persistence.jpa ………… 2.6.5 → 2.6.9 - org.eclipse.persistence:org.eclipse.persistence.jpa ………… 2.7.8 → 2.7.9 - org.fusesource.jansi ……………………………………. 2.3.2 → 2.3.4 - org.fusesource.jansi:jansi ………………………………. 2.3.1 → 2.3.2 - org.hsqldb:hsqldb ………………………………………. 2.5.1 → 2.5.2 - org.junit.jupiter:junit-jupiter-engine ……………………. 5.7.1 → 5.7.2 - org.junit.jupiter:junit-jupiter-migrationsupport …………… 5.7.1 → 5.7.2 - org.junit.jupiter:junit-jupiter-params ……………………. 5.7.1 → 5.7.2 - org.junit.vintage:junit-vintage-engine ……………………. 5.7.1 → 5.7.2 - org.liquibase:liquibase-core …………………………….. 3.5.3 → 3.5.5 - org.mockito:mockito-core ………………………………… 3.8.0 → 3.11.2 - org.mockito:mockito-junit-jupiter ………………………… 3.8.0 → 3.11.2 - org.springframework:spring-aop …………………………… 5.3.3 → 5.3.9 - org.springframework:spring-beans …………………………. 5.3.3 → 5.3.9 - org.springframework:spring-context ……………………….. 5.3.3 → 5.3.9 - org.springframework:spring-context-support ………………… 5.3.3 → 5.3.9 - org.springframework:spring-core ………………………….. 5.3.3 → 5.3.9 - org.springframework:spring-expression …………………….. 5.3.3 → 5.3.9 - org.springframework:spring-oxm …………………………… 5.3.3 → 5.3.9 - org.springframework:spring-test ………………………….. 5.3.3 → 5.3.9 - org.springframework:spring-web …………………………… 5.3.3 → 5.3.9 - org.springframework:spring-webmvc ………………………… 5.3.3 → 5.3.9 - org.tukaani:xz …………………………………………. 1.8 → 1.9
Fixed
-
LoggerContext skips resolving localhost when hostName is configured. (LOG4J2-2808)
-
Handle Disruptor event translation exceptions. (LOG4J2-2816)
-
SocketAppender should propagate failures when reconnection fails. (LOG4J2-2829)
-
Slf4j implementations walk the stack at most once rather than twice to determine the caller’s class loader. (LOG4J2-2940)
-
Fixed a deadlock between the AsyncLoggerContextSelector and java.util.logging.LogManager by updating Disruptor to 3.4.4. (LOG4J2-2965)
-
BasicContextSelector hasContext and shutdown take the default context into account (LOG4J2-3054)
-
Fix thread-safety issues in DefaultErrorHandler. (LOG4J2-3060)
-
Ensure EncodingPatternConverter#handlesThrowable is implemented. (LOG4J2-3070)
-
Fix formatting of nanoseconds in JsonTemplateLayout. (LOG4J2-3075)
-
Use SimpleMessage in Log4j 1 Category whenever possible. (LOG4J2-3080)
-
log4j-slf4j-impl and log4j-slf4j18-impl correctly detect the calling class using both LoggerFactory.getLogger methods as well as LoggerFactory.getILoggerFactory().getLogger. (LOG4J2-3083)
-
Fix race in JsonTemplateLayout where a timestamp could end up unquoted. (LOG4J2-3087)
-
Fix sporadic JsonTemplateLayoutNullEventDelimiterTest failures on Windows. (LOG4J2-3089)
-
Fix JsonWriter memory leaks due to retained excessive buffer growth. (LOG4J2-3092)
-
Category.setLevel should accept null value. (LOG4J2-3095)
-
Fix a regression in 2.14.1 which allowed the AsyncAppender background thread to keep the JVM alive because the daemon flag was not set. (LOG4J2-3102)
-
Fix race condition which can result in ConcurrentModificationException on context.stop. (LOG4J2-3103)
-
SmtpManager.createManagerName ignores port. (LOG4J2-3107)
-
Fix the number of {}-placeholders in the string literal argument does not match the number of other arguments to the logging call. (LOG4J2-3110)
-
Enable immediate flush on RollingFileAppender when buffered i/o is not enabled. (LOG4J2-3114)
-
log4j2 config modified at run-time may trigger incomplete MBean re-initialization due to InstanceAlreadyExistsException. (LOG4J2-3121)
-
log4j-1.2-api implements LogEventAdapter.getTimestamp() based on the original event timestamp instead of returning zero. (LOG4J2-3142)
-
RandomAccessFile appender uses the correct default buffer size of 256 kB rather than the default appender buffer size of 8 kB. (LOG4J2-3150)
-
DatePatternConverter performance is not impacted by microsecond-precision clocks when such precision isn’t required. (LOG4J2-3153)
-
Fixed an unlikely race condition in Log4jMarker.getParents() volatile access. (LOG4J2-3159)
-
Fix documentation on how to toggle log4j2.debug system property. (LOG4J2-3160)
-
Fix bug when file names contain regex characters. (LOG4J2-3168)
-
Buffer immutable log events in the SmtpManager. (LOG4J2-3172)
-
Wrong subject on mail when it depends on the LogEvent (LOG4J2-3174)
-
Avoid KafkaManager override when topics differ. (LOG4J2-3175)
-
Avoid using MutableInstant of the event as a cache key in JsonTemplateLayout. (LOG4J2-3183)
-
Fix thread-safety issues in DefaultErrorHandler. (LOG4J2-3185)
-
Limit the protocols JNDI can use by default. Limit the servers and classes that can be accessed via LDAP. (LOG4J2-3201)