Log4j 2.15.0 update issue

Question

My application is using Log4j 2.11.1 now. Because of the Log4j security vulnerabilities reported a couple of days ago, I need to update Log4j to 2.15.0. But it fails when I deploy my application on a Linux server.

Here is the error message:

[ERROR] Failed to execute goal on project ***: Could not resolve dependencies for project ***:1.0-SNAPSHOT: Failed to collect dependencies at org.apache.logging.log4j:log4j-api:jar:2.15.0: Failed to read artifact descriptor for org.apache.logging.log4j:log4j-api:jar:2.15.0: Could not transfer artifact org.apache.logging.log4j:log4j-api:pom:2.15.0 from/to central (https://repo1.maven.org/maven2): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> [Help 1]

I've added the certificate of Maven 2 to my Java keystore, but it does not work. My Java version is 1.8.181.

Answer 1

I had log4j-core and log4j-api which needed to be updated. It is a similar case as you had, deployment on as a Linux server. It works for me.

<dependency>
  <groupId>org.apache.logging.log4j</groupId>
  <artifactId>log4j-1.2-api</artifactId>
  <version>2.15.0</version>
</dependency>

<dependency>
  <groupId>org.apache.logging.log4j</groupId>
  <artifactId>log4j-core</artifactId>
  <version>2.15.0</version>
</dependency>

I added these dependencies and updated the maven project (in the Eclipse IDE, right click on Project → Go to Maven → Update Project).

Log4j Vulnerability issue with later versions

The version Log4j 2.15.0 was released as a possible fix for this critical vulnerability, but this version was found to be still vulnerable (by Apache Software Foundation).

Solution: Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Answer 2

You can have a look at Maven, Ivy, Gradle, and SBT Artifacts.

In my case I had to switch from 1.2.x version to 2.16.0.

You can try using this dependency:

<dependencies>
    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-1.2-api</artifactId>
        <version>2.16.0</version>
    </dependency>
</dependencies>

Answer 3

As Log4j security vulnerabilities are addressed in log4j-core, please try the latest version of log4j-core using a Maven dependency:

<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.16.0</version>
</dependency>

Reference - Maven Repository: log4j

Regarding the exception you are facing, this may help you - Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Answer 4

Specifically for a "PKIX path building failed" error in Maven:

If you are on Windows and your IT folks have added transparent proxies that intercept SSL traffic, you'll want to set MAVEN_OPTS to the following:

-Djavax.net.ssl.keyStoreType=Windows-MY -Djavax.net.ssl.trustStoreType=Windows-ROOT

This will direct Maven to use the Windows trust store when vetting SSL certificates issued internally by your IT staff.

If it is a transparent proxy peeking at SSL, but you're not in Windows, you may need to add that certificate to your JVMs trusted keystore, as the JVM options I have only work on Windows.

Answer 5

I faced the same problem with the following dependency:

<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j</artifactId>
    <version>2.15.0</version>
</dependency>

I replaced the above dependency with:

<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-1.2-api</artifactId>
    <version>2.15.0</version>
</dependency>

It works OK.