2

I've started writing a new application in Java 11 and while running the application I got this below error. I read about this issue and looks like it is a case of split package . But I'm not sure how can I fix this issue. 

java.lang.module.ResolutionException: Modules slf4j.log4j12 and log4j export package org.apache.log4j to module kubernetes.model.common

I've below dependencies in pom for log4j and slf4j.

log4j

<dependency>
      <groupId>org.slf4j</groupId>
      <artifactId>slf4j-api</artifactId>
      <version>1.7.26</version>
    </dependency>
    <dependency>
      <groupId>org.slf4j</groupId>
      <artifactId>slf4j-log4j12</artifactId>
      <version>1.7.26</version>
    </dependency>

log4j2

When I tried to use log4j2 with following dependencies I got different error

 <dependency>
  <groupId>org.apache.logging.log4j</groupId>
  <artifactId>log4j-api</artifactId>
  <version>2.7</version>
</dependency>
<dependency>
  <groupId>org.apache.logging.log4j</groupId>
  <artifactId>log4j-core</artifactId>
  <version>2.7</version>
</dependency>
<dependency>
  <groupId>org.apache.logging.log4j</groupId>
  <artifactId>log4j-slf4j-impl</artifactId>
  <version>2.7</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.6</version>


java.lang.module.ResolutionException: Modules log4j.core and log4j.api export package org.apache.logging.log4j to module java.annotation
BobCoder
  • 743
  • 2
  • 10
  • 27
  • `slf4j-api-1.7.26.jar` doesn't contain an `org.apache` folder. I think it's another dependency giving you this error. Do you also have a dependency entry `log4j`? – Scratte Feb 09 '20 at 00:34
  • Log4J 2.7 is very old. Please try with a newer version. The latest is 2.13.0. – rgoers Feb 09 '20 at 14:45

2 Answers2

3

slf4j-log4j12 contains a class named org.apache.log4j.MDCFriend.

As I recall this is to fix a bug in log4j 1.x that occurred when the version detection pattern was changed in Java 9. Since Log4j 1.x reached the end of life in August 2015 the bug cannot be fixed there so SLF4J introduced this "fix". Unfortunately, using the org.apache.log4j package outside of the log4j jar is forbidden in the Java module system which is what is causing the problem you are seeing.

Also, note that the security bug CVE-2019-17571 has been created for Log4j 1.x. While your application probably won't be vulnerable to the problem it will show up on security scans.

You have a few options:

  1. Create a bug report against SLF4J and hope that it gets fixed.
  2. Create your own fork of slf4j-log4j12 and fix it yourself.
  3. Upgrade from Log4j 1 to Log4j 2 (the solution I would recommend for a new application).
  4. Use an SLF4J implementation other than Log4j 2.
Naman
  • 27,789
  • 26
  • 218
  • 353
rgoers
  • 8,696
  • 1
  • 22
  • 24
  • I tried to use log4j2 with slf4j but I got different error. I've updated my questions with the details. – BobCoder Feb 09 '20 at 14:26
  • Re: CVE-2019-17571, is it worth upgrading Log4j 1.x to 2.x? Also, do you know if this was fixed 2.x? How to tell if my application is affected by it? Thanks. – Say No To Censorship Mar 29 '20 at 21:28
  • Yes, it was fixed in Log4j 2. The reality is that very few users will be affected. The vulnerability is in the Log Server component that can receive log events over a TCP socket. That component is not widely used. However, many security people don't care and simply want you to be on a version that doesn't have a reported vulnerability. As for whether the upgrade is "worth it" - that is really for you to decide, but Log4j 1 will never have another enhancement of fix and it has some very serious bugs. – rgoers Mar 29 '20 at 21:32
0

I encounterd the same error, but when I use log4j-core version 2.13.3 ,the error disappears.

quan changnai
  • 1