From 05e05aef3faba01a89ca924b51f343151c2ddb2c Mon Sep 17 00:00:00 2001 From: Adrian Sutton Date: Fri, 10 Dec 2021 15:28:17 +1000 Subject: [PATCH] Update log4j (#3151) Signed-off-by: Adrian Sutton --- CHANGELOG.md | 3 +++ build.gradle | 2 ++ gradle/versions.gradle | 8 ++++---- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index eaaecf8cda..8a2a536628 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,9 @@ ### Additions and Improvements - Represent baseFee as Wei instead of long accordingly to the spec [#2785] (https://github.com/hyperledger/besu/issues/2785) +### Bug Fixes +- Updated log4j to 2.15.0 and disabled JNDI message format lookups to improve security. + ### Breaking Changes - Plugin API: BlockHeader.getBaseFee() method now returns an optional Wei instead of an optional Long diff --git a/build.gradle b/build.gradle index 323dff9170..579bae817c 100644 --- a/build.gradle +++ b/build.gradle @@ -471,6 +471,8 @@ applicationDefaultJvmArgs = [ // We shutdown log4j ourselves, as otherwise this shutdown hook runs before our own and whatever // happens during shutdown is not logged. '-Dlog4j.shutdownHookEnabled=false', + // Disable JNI lookups in log4j messages to improve security + '-Dlog4j2.formatMsgNoLookups=true', // Redirect java.util.logging loggers to use log4j2. '-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager', // Suppress Java JPMS warnings. Document the reason for each suppression. diff --git a/gradle/versions.gradle b/gradle/versions.gradle index fc12409013..783fd242ce 100644 --- a/gradle/versions.gradle +++ b/gradle/versions.gradle @@ -100,10 +100,10 @@ dependencyManagement { dependency 'org.apache.commons:commons-compress:1.21' dependency 'org.apache.commons:commons-text:1.9' - dependency 'org.apache.logging.log4j:log4j-api:2.14.1' - dependency 'org.apache.logging.log4j:log4j-core:2.14.1' - dependency 'org.apache.logging.log4j:log4j-jul:2.14.1' - dependency 'org.apache.logging.log4j:log4j-slf4j-impl:2.14.1' + dependency 'org.apache.logging.log4j:log4j-api:2.15.0' + dependency 'org.apache.logging.log4j:log4j-core:2.15.0' + dependency 'org.apache.logging.log4j:log4j-jul:2.15.0' + dependency 'org.apache.logging.log4j:log4j-slf4j-impl:2.15.0' dependency 'org.apache.tuweni:tuweni-bytes:2.0.0' dependency 'org.apache.tuweni:tuweni-config:2.0.0'