Search results
Results From The WOW.Com Content Network
Log4Shell (CVE-2021-44228) is a zero-day vulnerability reported in November 2021 in Log4j, a popular Java logging framework, involving arbitrary code execution. [2] [3] The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021.
Apache Log4j is a Java-based logging utility originally written by Ceki Gülcü. ... [52] [53] For additional security, all features using JNDI, ...
JNDI (Java Naming and Directory Interface) organizes its names into a hierarchy. A name can be any string such as "com.example.ejb.MyBean". A name can also be an object that implements the Name interface; however, a string is the most common way to name an object.
Log4j has a system of config files accessible as resources. there are issues when things are running in J2EE containers the container may want to restrict access to services; the container might want to hot-remap resorces; JNDI provides a federated namespace, which provides a standard way of getting at any service.
The Apache Directory project was started using the JNDI library, but many of its LDAP structures had to be developed in-house because the JNDI library was ineffective for interacting with an LDAP server. It wasn't convenient for the project team to use JNDI which indicated to them it wouldn't be easy for typical users either.
Log4j 2 provides both an API and an implementation. The API can be routed to other logging implementations equivalent to how SLF4J works. Unlike SLF4J, the Log4j 2 API logs Message [2] objects instead of Strings for extra flexibility and also supports Java Lambda expressions. [3] JCL isn't really a logging framework, but a wrapper for one.
Incredibly flexible JNDI name support allows you to specify formats at macro and micro levels and imitate the format of other vendors. Allows for easy testing and debugging in IDEs such as Eclipse, IntelliJ IDEA or NetBeans with no plug-ins required. Usable in ordinary JUnit or other style test cases without complicated setup or external processes.
Apache log4j 1.3 added many interesting features, but was compatibility with log4j 1.2 was problematic. Many features original developed for log4j 1.3 have been back-ported as companions for log4j 1.2. No further development is anticipated. Apache log4j 2.0 is an experimental development branch for logging services designed for Java 5 and later.