问题背景
继《Karaf框架升级Lg4j历程》之后,今天又接到通知,需要将版本再升级到2.18.0,据说还是因为漏洞问题。网上查找,未发现有爆出什么漏洞,只找到了一个腾讯发布的相关通知《Apache Log4j官网普通更新》。
分析过程
有了前文的分析,我们知道,要解决漏洞,有三种升级方式:
- 升级框架:这个影响就比较大了,而且框架的版本发布周期比较慢,目前还没有编译好的框架包,要升级框架就需要自己编译出所有的框架包,风险较大;
- 升级依赖包:影响较小,如果没有配置依赖包的地方,可能无法升级;(实际确认,无法单独升级)
- 修改当前版本依赖包并重新编译:影响较小,如果与最新版本跨度较大,可能修改点会很多;
综合比较,继续考虑使用第3个方案走走看,有了前文的经验,就直接修改依赖包版本到2.18.0
1
2
3
4
5
6
7
8
9
| pom.xml
<version.org.apache.felix.configadmin>1.9.20</version.org.apache.felix.configadmin>
<version.org.apache.felix.framework>5.6.12</version.org.apache.felix.framework>
<version.org.apache.felix6.framework>6.0.3</version.org.apache.felix6.framework>
- <version.org.apache.logging.log4j>2.17.0</version.org.apache.logging.log4j>
+ <version.org.apache.logging.log4j>2.18.0</version.org.apache.logging.log4j>
<version.org.apache.servicemix.bundles.javax-inject>1_3</version.org.apache.servicemix.bundles.javax-inject>
<version.org.jboss.logging>3.4.1.Final</version.org.jboss.logging>
<version.org.mockito>3.7.7</version.org.mockito>
|
编译:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| root@895be557c3cd:/home/org.ops4j.pax.logging-logging-1.11.9# mvn clean install -Dmaven.test.skip=true
...
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO]
[INFO] OPS4J Pax Logging (Build POM) 1.11.9 ............... SUCCESS [ 2.355 s]
[INFO] OPS4J Pax Logging - API (Java9) .................... SUCCESS [ 2.039 s]
[INFO] OPS4J Pax Logging - API ............................ SUCCESS [ 4.926 s]
[INFO] OPS4J Pax Logging - Log4Jv1 implementation ......... SUCCESS [ 2.235 s]
[INFO] OPS4J Pax Logging - Log4Jv2 implementation ......... SUCCESS [ 3.051 s]
[INFO] OPS4J Pax Logging - Log4j v2 Extra packages ........ SUCCESS [ 0.146 s]
[INFO] OPS4J Pax Logging - Logback implementation ......... SUCCESS [ 0.950 s]
[INFO] OPS4J Pax Logging - Integration Tests .............. SUCCESS [ 0.354 s]
[INFO] OPS4J Pax Logging - Karaf .......................... SUCCESS [ 0.014 s]
[INFO] OPS4J Pax Logging - Karaf KAR Logger ............... SUCCESS [ 0.142 s]
[INFO] OPS4J Pax Logging - Karaf KAR ...................... SUCCESS [ 1.710 s]
[INFO] OPS4J Pax Logging - Karaf Distribution ............. SUCCESS [ 2.522 s]
[INFO] OPS4J Pax Logging - Karaf Integration Tests 1.11.9 . SUCCESS [ 0.703 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 22.711 s
[INFO] Finished at: 2022-10-20T03:50:21Z
[INFO] ------------------------------------------------------------------------
|
把新编译的pax-logging-api和pax-logging-log4j替换到依赖仓库中,重新编译交付件,发现日志功能异常,服务不再打印任何日志了,定位都无从下手;
从参考资料[1]的代码提交记录看,org.ops4j.pax.logging为了升级log4j依赖包,不单单是改了版本,还涉及一些代码修改点,怀疑是有关系的:
1
2
3
4
5
6
7
8
9
10
| pax-logging-api/src/main/java/org/apache/logging/log4j/LogManager.java
pax-logging-api/src/main/java/org/apache/logging/log4j/status/StatusLogger.java
pax-logging-api/src/main/java/org/apache/logging/log4j/util/PaxPropertySource.java
pax-logging-it/pom.xml
pax-logging-log4j2/src/main/java/org/apache/logging/log4j/core/config/plugins/util/ResolverUtil.java
pax-logging-log4j2/src/main/java/org/apache/logging/log4j/core/impl/ThrowableProxy.java
pax-logging-log4j2/src/main/java/org/apache/logging/log4j/core/pattern/DatePatternConverter.java
pax-logging-log4j2/src/main/java/org/ops4j/pax/logging/log4j2/internal/PaxLoggingServiceImpl.java
pax-logging-samples/fragment-log4j2/src/main/java/org/ops4j/pax/logging/log4j2/extra/ListAppender.java
pom.xml
|
对比发现,修改点不多,也不复杂,就尝试将更新的代码移植到1.11.9版本上;
然后使用前文使用过的容器编译环境编译jar包:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| root@895be557c3cd:/home/org.ops4j.pax.logging-logging-1.11.9# mvn clean install -Dmaven.test.skip=true
...
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO]
[INFO] OPS4J Pax Logging (Build POM) 1.11.9 ............... SUCCESS [ 2.355 s]
[INFO] OPS4J Pax Logging - API (Java9) .................... SUCCESS [ 2.039 s]
[INFO] OPS4J Pax Logging - API ............................ SUCCESS [ 4.926 s]
[INFO] OPS4J Pax Logging - Log4Jv1 implementation ......... SUCCESS [ 2.235 s]
[INFO] OPS4J Pax Logging - Log4Jv2 implementation ......... SUCCESS [ 3.051 s]
[INFO] OPS4J Pax Logging - Log4j v2 Extra packages ........ SUCCESS [ 0.146 s]
[INFO] OPS4J Pax Logging - Logback implementation ......... SUCCESS [ 0.950 s]
[INFO] OPS4J Pax Logging - Integration Tests .............. SUCCESS [ 0.354 s]
[INFO] OPS4J Pax Logging - Karaf .......................... SUCCESS [ 0.014 s]
[INFO] OPS4J Pax Logging - Karaf KAR Logger ............... SUCCESS [ 0.142 s]
[INFO] OPS4J Pax Logging - Karaf KAR ...................... SUCCESS [ 1.710 s]
[INFO] OPS4J Pax Logging - Karaf Distribution ............. SUCCESS [ 2.522 s]
[INFO] OPS4J Pax Logging - Karaf Integration Tests 1.11.9 . SUCCESS [ 0.703 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 23.641 s
[INFO] Finished at: 2022-10-20T03:55:39Z
[INFO] ------------------------------------------------------------------------
|
升级log4j的版本编译成功。
把新编译的pax-logging-api和pax-logging-log4j替换到依赖仓库中,重新编译交付件,发现日志功能正常;
解决方案
把新编译的pax-logging-api和pax-logging-log4j替换到依赖仓库中,重新编译交付件,日志功能正常。
参考资料
- https://github.com/ops4j/org.ops4j.pax.logging/commit/7c007343fe9844a17e9c6eaae3a833e6c19a579a