9

I upgraded log4j version to 2.15.0 due to security vulnerability. but when deploying I get the "EMPTY_BYTE_ARRAY" error in wildfly server.

Pom.xml:

<properties>
    <java.version>1.8</java.version>
    <log4j2.version>2.16.0</log4j2.version>
</properties>

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-data-jpa</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-data-rest</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
        <exclusions>
            <exclusion>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-tomcat</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-logging</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
        <exclusions>
            <exclusion>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-logging</artifactId>
            </exclusion>
        </exclusions>
    </dependency>


    <!-- Add Log4j2 Dependency -->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-log4j2</artifactId>
    </dependency>
    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-api</artifactId>
        <version>${log4j2.version}</version>
    </dependency>
    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-core</artifactId>
        <version>${log4j2.version}</version>
    </dependency>
    <!-- Add Log4j2 Async Dependency -->

    <dependency>
        <groupId>axis</groupId>
        <artifactId>axis</artifactId>
        <version>1.4</version>
        <scope>compile</scope>
    </dependency>
    <dependency>
        <groupId>axis</groupId>
        <artifactId>axis-wsdl4j</artifactId>
        <version>1.5.1</version>
        <scope>compile</scope>
    </dependency>
    <dependency>
        <groupId>javax.mail</groupId>
        <artifactId>mail</artifactId>
        <version>1.4.7</version>
    </dependency>
    <dependency>
        <groupId>io.jsonwebtoken</groupId>
        <artifactId>jjwt</artifactId>
        <version>0.9.0</version>
    </dependency>
    <dependency>
        <groupId>javax.servlet</groupId>
        <artifactId>javax.servlet-api</artifactId>
        <scope>provided</scope>
    </dependency>
    <dependency>
        <groupId>org.glassfish</groupId>
        <artifactId>javax.json</artifactId>
        <version>1.0-b04</version>
    </dependency>
    <dependency>
        <groupId>javax.xml.rpc</groupId>
        <artifactId>javax.xml.rpc-api</artifactId>
        <version>1.1.1</version>
    </dependency>
    <dependency>
        <groupId>wsdl4j</groupId>
        <artifactId>wsdl4j</artifactId>
    </dependency>
    <dependency>
        <groupId>org.modelmapper</groupId>
        <artifactId>modelmapper</artifactId>
        <version>2.3.2</version>
    </dependency>
    <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-lang3</artifactId>
        <version>3.12.0</version>
    </dependency>
    <dependency>
        <groupId>commons-dbcp</groupId>
        <artifactId>commons-dbcp</artifactId>
        <version>1.4</version>
    </dependency>
    <dependency>
        <groupId>io.springfox</groupId>
        <artifactId>springfox-swagger2</artifactId>
        <version>2.6.1</version>
    </dependency>
    <dependency>
        <groupId>io.springfox</groupId>
        <artifactId>springfox-swagger-ui</artifactId>
        <version>2.6.1</version>
    </dependency>
    <dependency>
        <groupId>com.microsoft.sqlserver</groupId>
        <artifactId>mssql-jdbc</artifactId>
    </dependency>
    <dependency>
        <groupId>org.hibernate</groupId>
        <artifactId>hibernate-core</artifactId>
    </dependency>
    <dependency>
        <groupId>com.lmax</groupId>
        <artifactId>disruptor</artifactId>
        <version>3.4.2</version>
    </dependency>
    <dependency>
        <groupId>commons-validator</groupId>
        <artifactId>commons-validator</artifactId>
        <version>1.7</version>
    </dependency>
    <dependency>
        <groupId>com.google.code.gson</groupId>
        <artifactId>gson</artifactId>
        <version>2.8.6</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-mail</artifactId>
    </dependency>
    <dependency>
        <groupId>org.codehaus.jackson</groupId>
        <artifactId>jackson-mapper-asl</artifactId>
        <version>1.9.11</version>
    </dependency>
</dependencies>

<build>
    <plugins>
        <plugin>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-maven-plugin</artifactId>
        </plugin>
    </plugins>
</build>

Error Log:

2021-12-14 15:45:52,957 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 95) MSC000001: Failed to start service jboss.deployment.unit."lojistikteminatlitasimacilik-0.0.1-SNAPSHOT.war".undertow-deployment: org.jboss.msc.service.StartException in service jboss.deployment.unit."lojistikteminatlitasimacilik-0.0.1-SNAPSHOT.war".undertow-deployment: java.lang.NoSuchFieldError: EMPTY_BYTE_ARRAY
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
        at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
        at java.lang.Thread.run(Thread.java:748)
        at org.jboss.threads.JBossThread.run(JBossThread.java:513)
Caused by: java.lang.NoSuchFieldError: EMPTY_BYTE_ARRAY
        at org.apache.logging.log4j.core.config.ConfigurationSource.(ConfigurationSource.java:56)
        at org.apache.logging.log4j.core.config.NullConfiguration.(NullConfiguration.java:32)
        at org.apache.logging.log4j.core.LoggerContext.(LoggerContext.java:85)
        at org.apache.logging.log4j.core.selector.ClassLoaderContextSelector.createContext(ClassLoaderContextSelector.java:254)
        at org.apache.logging.log4j.core.selector.ClassLoaderContextSelector.locateContext(ClassLoaderContextSelector.java:218)
        at org.apache.logging.log4j.core.selector.ClassLoaderContextSelector.getContext(ClassLoaderContextSelector.java:140)
        at org.apache.logging.log4j.core.selector.ClassLoaderContextSelector.getContext(ClassLoaderContextSelector.java:123)
        at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:230)
        at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:47)
        at org.apache.logging.log4j.LogManager.getContext(LogManager.java:174)
        at org.springframework.boot.logging.log4j2.Log4J2LoggingSystem.getLoggerContext(Log4J2LoggingSystem.java:264)
        at org.springframework.boot.logging.log4j2.Log4J2LoggingSystem.beforeInitialize(Log4J2LoggingSystem.java:131)
        at org.springframework.boot.context.logging.LoggingApplicationListener.onApplicationStartingEvent(LoggingApplicationListener.java:220)
        at org.springframework.boot.context.logging.LoggingApplicationListener.onApplicationEvent(LoggingApplicationListener.java:199)
        at org.springframework.context.event.SimpleApplicationEventMulticaster.doInvokeListener(SimpleApplicationEventMulticaster.java:172)
        at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:165)
        at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:139)
        at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:127)
        at org.springframework.boot.context.event.EventPublishingRunListener.starting(EventPublishingRunListener.java:69)
        at org.springframework.boot.SpringApplicationRunListeners.starting(SpringApplicationRunListeners.java:48)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:302)
        at org.springframework.boot.web.servlet.support.SpringBootServletInitializer.run(SpringBootServletInitializer.java:157)
        at org.springframework.boot.web.servlet.support.SpringBootServletInitializer.createRootApplicationContext(SpringBootServletInitializer.java:137)
        at org.springframework.boot.web.servlet.support.SpringBootServletInitializer.onStartup(SpringBootServletInitializer.java:91)
        at org.springframework.web.SpringServletContainerInitializer.onStartup(SpringServletContainerInitializer.java:171)
        at io.undertow.servlet.core.DeploymentManagerImpl$1.call(DeploymentManagerImpl.java:204)
        at io.undertow.servlet.core.DeploymentManagerImpl$1.call(DeploymentManagerImpl.java:187)
        at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
        at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
        at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
        at io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:255)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:96)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78)
        ... 8 more
2021-12-14 15:45:52,967 ERROR [org.jboss.as.controller.management-operation] (External Management Request Threads -- 3) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "lojistikteminatlitasimacilik-0.0.1-SNAPSHOT.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"lojistikteminatlitasimacilik-0.0.1-SNAPSHOT.war\".undertow-deployment" => "java.lang.NoSuchFieldError: EMPTY_BYTE_ARRAY
    Caused by: java.lang.NoSuchFieldError: EMPTY_BYTE_ARRAY"}}
2021-12-14 15:45:52,968 ERROR [org.jboss.as.server] (External Management Request Threads -- 3) WFLYSRV0021: Deploy of deployment "lojistikteminatlitasimacilik-0.0.1-SNAPSHOT.war" was rolled back with the following failure message:
{"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"lojistikteminatlitasimacilik-0.0.1-SNAPSHOT.war\".undertow-deployment" => "java.lang.NoSuchFieldError: EMPTY_BYTE_ARRAY
    Caused by: java.lang.NoSuchFieldError: EMPTY_BYTE_ARRAY"}}
Batuhan Batu
  • 131
  • 1
  • 2
  • 9
  • Please post the full stacktrace and when posting post it as code not as an unreadable image. – M. Deinum Dec 13 '21 at 12:53
  • Seems like you only upgraded log4j-core. Can you share the contents of your pom.xml (if using maven)? You should probably also update the other log4j dependencies, like log4j-api – NSV Dec 13 '21 at 23:01
  • @BatuhanBatu were you able to resolve the issue? I am getting exact same exception while starting springboot application! Could you please advise? – Raman Verma Dec 15 '21 at 05:39
  • hmmm, same issue here while setting pom file property 2.16.0 – Micho Rizo Dec 16 '21 at 01:00
  • Maybe [this](https://stackoverflow.com/questions/70474648/wildfly-16-log4j-2-17-0-nosuchfielderror-empty-byte-array) can be helpful. It solves EMPTY_BYTE_ARRAY problem with wildfly in a non-spring project. – r-uu Mar 14 '22 at 10:13

9 Answers9

5

Wildfly uses the log4j-api artifact(probably a older version than 2.16.0) and the version mismatch between the log4j-api and log4j-core will cause issues. documentation for how to incorporate log4j-core in your application

For more info check: https://www.wildfly.org/news/2021/12/13/Log4j-CVEs/

Laszlo Toth
  • 51
  • 2
5

I had to do two things to get it to work:

  1. If you do not already have it, create src/main/webapp/WEB-INF/jboss-deployment-structure.xml. Inside it add

    <jboss-deployment-structure>
  <deployment>
     <exclusions>
        <module name="org.apache.logging.log4j.api"/>
    </exclusions>
  </deployment>
</jboss-deployment-structure>

  2. In my case, the war file still had both 2.11.0 and the new 2.16.0 version inside of WEB-INF/lib. I opened the war and remove the 2.11.0 versions.

Micho Rizo
  • 1,000
  • 3
  • 12
  • 27
  • [Here](https://stackoverflow.com/questions/70474648/wildfly-16-log4j-2-17-0-nosuchfielderror-empty-byte-array) is a solution that fixes the EMPTY_BYTE_ARRAY problem for a non-spring project. Maybe this can be helpful. – r-uu Mar 14 '22 at 09:35
4

You need to upgrade log4j api in wildfly to 2.15.0 or 2.16.0 (latest currently). Copy new log4j api jar into \wildfly\modules\system\layers\base\org\apache\logging\log4j\api\main
and update module.xml

You can also exclude wildfly's log4j using jboss-deployment-structure file, but anyway it's better to have fixed version of log4j in wildfly

makstitoff
  • 41
  • 2
  • 1
    Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Dec 15 '21 at 17:18
  • Just need to mention the correct file name with version in module.xml file and it is good to go. Thanks – Pawan Tiwari Dec 16 '21 at 10:25
3

So I had this issue this morning with updating log4j to version 2.15.0. The issue I found was that a maven dependency was pulling in an older version of log4j (2.14.1 in my case) which would give back the error constant "EMPTY_BYTE_ARRAY". In 2.15.0, EMPTY_BYTE_ARRAY does not exist and gives this error.

I would suggest looking at your maven dependency tree and see if an older version of log4j-api, log4j-core, or another log4j library is being pulled in that isn't the version that you are using, which looks to be 2.16.0.

I did this through eclipse by setting my maven goal to "dependency:tree".

Chase Tyree
  • 39
  • 3
1

Was able to workaround (not fix) by switching to JSONLayout rather than PatternLayout. PatternLayout doesn't seem to work in some cases even with its default constructor... have not figured out why yet.

Chairface Chippendale
  • 11
  • 1
1

I encountered a simiular problem.

In my case, I needed to replace spring-boot-starter-log4j2 with log4j-xxx. At first, I only added log4j-slf4j-impl, log4j-core, log4j-jul and jul-to-slf4j. After comparing dependency tree, I also added log4j-api, and the problem was gone.

So I suggest you compare the dependency tree to see if some dependencies are missing.

Gus
  • 3,534
  • 1
  • 30
  • 39
frankcrc
  • 31
  • 1
  • 4
1

For some reason, in my case there was a mismatch in the versions for log4j-api & log4j-core. So, I had to manually exclude it from pom. It is now working as expected.

        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-core</artifactId>
            <version>2.17.1</version>
            <exclusions>
                <exclusion>
                    <groupId>org.apache.logging.log4j</groupId>
                    <artifactId>log4j-api</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-api</artifactId>
            <version>2.17.1</version>
        </dependency>
Imran AK
  • 103
  • 10
0

if can't use 2.15.0or 2.16.0 ,try 2.12.2 also fix the security vulnerability。 here the log4j site:https://logging.apache.org/log4j/2.x/

Mitigation

In version 2.12.2 Log4j disables access to JNDI by default. Usage of JNDI in configuration now need to be enabled explicitly. Calls to the JndiLookup will now return a constant string. Also, Log4j now limits the protocols by default to only java. The message lookups feature has been completely removed.

In version 2.16.0 Log4j disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly. Also, Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects. Hosts other than the local host need to be explicitly allowed. The message lookups feature has been completely removed.

GreyDesolate
  • 29
  • 3
0

After adding log4j2.version in pom.xml , ex.

<properties> .. <log4j2.version>2.17.1</log4j2.version> </properties>

we need to clean and compile the existing files. With Maven by running

mvn clean install

By performing this step, we'll have all the latest compiled files, and we'll avoid running into the error.

Atul Kumar
  • 1