1

I am migrating from log4j1.x to log4j2 due to recent vulnerability. It seems another dependency is referencing the the old log4j1.x file.

In addition to removing old log4j1.x file I added log4j-core, log4j-api, and log4j-1.2-api all version 2.16. I looked up documentation https://logging.apache.org/log4j/2.x/manual/migration.html for migration and thought the last jar file log4j-1.2-api would solve the issue of unrelated libraries that were dependent on log4j1.x

I am having difficulty figuring out if I have to update the org.glassfish dependendies. As you can see from my pom.xml file I also tried updating jersey-server jar but to no avail.

pom.xml

<repositories>
        <repository>
            <id>maven2-repository.java.net</id>
            <name>Java.net Repository for Maven</name>
            <url>http://download.java.net/maven/2/</url>
            <layout>default</layout>
        </repository>
    </repositories>
    <properties>
        <jersey2.version>2.25.1</jersey2.version>
        <jaxrs.version>2.0.1</jaxrs.version>
        <bootstrap.version>3.3.5</bootstrap.version>
        <angularjs.version>1.4.7</angularjs.version>
        <angular-ui-bootstrap.version>0.14.0</angular-ui-bootstrap.version>
        <ng-file-upload.version>9.0.12</ng-file-upload.version>
    </properties>
  
  <build>
    <sourceDirectory>src</sourceDirectory>
    <plugins>
      <plugin>
        <artifactId>maven-compiler-plugin</artifactId>
        <version>3.5.1</version>
        <configuration>
          <source>1.8</source>
          <target>1.8</target>
        </configuration>
      </plugin>
      <plugin>
        <artifactId>maven-war-plugin</artifactId>
        <version>3.0.0</version>
        <configuration>
          <warSourceDirectory>WebContent</warSourceDirectory>
        </configuration>
      </plugin>
    </plugins>
  </build>
  <dependencies>
  <!-- JAX-RS -->
    <dependency>
        <groupId>javax.ws.rs</groupId>
        <artifactId>javax.ws.rs-api</artifactId>
        <version>${jaxrs.version}</version>
    </dependency>
    <!-- Jersey 2.19 -->
  <dependency>
       <groupId>org.glassfish.jersey.containers</groupId>
       <artifactId>jersey-container-servlet</artifactId>
       <version>${jersey2.version}</version>
   </dependency> 
    <!--  <dependency>
    <groupId>org.glassfish.jersey.core</groupId>
    <artifactId>jersey-server</artifactId>
    <version>3.0.3</version>
</dependency> -->
     <dependency>
       <groupId>org.glassfish.jersey.core</groupId>
       <artifactId>jersey-server</artifactId>
       <version>${jersey2.version}</version>
   </dependency> 
   <dependency>
       <groupId>org.glassfish.jersey.core</groupId>
       <artifactId>jersey-client</artifactId>
       <version>${jersey2.version}</version>
   </dependency>
   <dependency>
       <groupId>org.glassfish.jersey.media</groupId>
       <artifactId>jersey-media-multipart</artifactId>
       <version>${jersey2.version}</version>
   </dependency>
    <dependency>
        <groupId>org.glassfish</groupId>
        <artifactId>javax.json</artifactId>
        <version>1.0.4</version>
    </dependency>  
        
    <dependency>
       <groupId>com.fasterxml.jackson.jaxrs</groupId>
       <artifactId>jackson-jaxrs-json-provider</artifactId>
       <version>2.4.1</version>
    </dependency>
    <dependency>
      <groupId>org.webjars</groupId>
      <artifactId>webjars-servlet-2.x</artifactId>
      <version>1.1</version>
    </dependency>
    <dependency>
      <groupId>org.webjars</groupId>
      <artifactId>bootstrap</artifactId>
      <version>${bootstrap.version}</version>
    </dependency>    
    <dependency>
      <groupId>org.webjars</groupId>
      <artifactId>angularjs</artifactId>
      <version>${angularjs.version}</version>
    </dependency>
    <dependency>
      <groupId>org.webjars</groupId>
      <artifactId>angular-ui-bootstrap</artifactId>
      <version>${angular-ui-bootstrap.version}</version>
    </dependency>   
    <dependency>
      <groupId>org.webjars.bower</groupId>
      <artifactId>ng-file-upload</artifactId>
      <version>${ng-file-upload.version}</version>
    </dependency>
    <dependency>
        <groupId>com.microsoft.sqlserver</groupId>
        <artifactId>mssql-jdbc</artifactId>
        <version>6.1.0.jre8</version>
    </dependency>
  <dependency>
  <groupId>org.apache.logging.log4j</groupId>
  <artifactId>log4j-api</artifactId>
  <version>2.16.0</version>
</dependency>

<dependency>
  <groupId>org.apache.logging.log4j</groupId>
  <artifactId>log4j-core</artifactId>
  <version>2.16.0</version>
</dependency>

<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-1.2-api</artifactId>
    <version>2.16.0</version>
    <scope>test</scope>
</dependency>

    
  </dependencies>
</project>

Error

Jan 10, 2022 7:04:14 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [REST] in context with path [/MyProject] threw exception [org.glassfish.jersey.server.ContainerException: java.lang.NoSuchMethodError: org.apache.log4j.ConsoleAppender.<init>(Lorg/apache/log4j/Layout;)V] with root cause
java.lang.NoSuchMethodError: org.apache.log4j.ConsoleAppender.<init>(Lorg/apache/log4j/Layout;)V
    at com.documentum.fc.common.impl.logging.LoggingConfigurator.configureLog4jWithSimpleDefault(LoggingConfigurator.java:154)
    at com.documentum.fc.common.impl.logging.LoggingConfigurator.performInitialConfiguration(LoggingConfigurator.java:45)
    at com.documentum.fc.common.DfLogger.<clinit>(DfLogger.java:624)
    at com.documentum.fc.common.impl.logging.LoggingConfigurator.onPreferencesInitialized(LoggingConfigurator.java:178)
    at com.documentum.fc.common.DfPreferences.initialize(DfPreferences.java:71)
    at com.documentum.fc.common.DfPreferences.getInstance(DfPreferences.java:43)
    at com.documentum.fc.client.DfSimpleDbor.getDefaultDbor(DfSimpleDbor.java:78)
    at com.documentum.fc.client.DfSimpleDbor.<init>(DfSimpleDbor.java:66)
    at com.documentum.fc.client.DfClient$ClientImpl.<init>(DfClient.java:350)
    at com.documentum.fc.client.DfClient.<clinit>(DfClient.java:766)
    at com.documentum.com.DfClientX.getLocalClient(DfClientX.java:43)
    at dpaa.cms.dctm.DCTMUtility.createSessionManager(DCTMUtility.java:28)
    at dpaa.cms.dctm.DCTMIntegration_Dental.getAMDentalRecords(DCTMIntegration_Dental.java:565)
    at dpaa.cms.dctm.DCTMIntegration_Dental.getAMDentalRecords(DCTMIntegration_Dental.java:534)
    at dpaa.cms.analytical_services.OdontologyService.getAMDentalRecords(OdontologyService.java:329)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81)
    at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:144)
    at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:161)
    at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:160)
    at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:99)
    at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389)
    at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347)
    at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102)
    at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:326)
    at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271)
    at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267)
    at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
    at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
    at org.glassfish.jersey.internal.Errors.process(Errors.java:267)
    at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317)
    at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305)
    at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154)
    at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:473)
    at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:427)
    at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:388)
    at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:341)
    at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:228)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Unknown Source)
Piotr P. Karwasz
  • 12,857
  • 3
  • 20
  • 43
jms310
  • 13
  • 3
  • 1
    You can use `mvn dependency:tree` to see which of your dependencies that are bringing in the old log4j version. – marstran Jan 10 '22 at 19:46
  • One of your dependencies (OpenText Documentum?) is configuring Log4j 1.x programmatically. Hence you can't replay `log4j` 1.x with `log4j-1.2-api`. – Piotr P. Karwasz Jan 10 '22 at 20:01
  • @marstran I'm still looking into the solution you provided – jms310 Jan 10 '22 at 20:38
  • @PiotrP.Karwasz Yes this application uses open Text Documentum. So this means I must find the dfc jar file that is compatible with log4j2? – jms310 Jan 10 '22 at 20:43
  • DFC might detect the logging backend using reflection (try removing `log4j-1.2-api`), but it is impossible to tell, since it is closed-source software. – Piotr P. Karwasz Jan 10 '22 at 20:53
  • @PiotrP.Karwasz thanks I will try that. I added that third file a day after adding the core and api jar and still had a similar error where a dependency was referencing the jar file that was removed :-/ – jms310 Jan 10 '22 at 21:25

1 Answers1

1

Documentum DFC requires log4j (the 1st version), therefore you can't remove this dependency.

KarolBe
  • 356
  • 2
  • 10
  • Thank you; I figured that out earlier this morning after seeing this: https://forums.opentext.com/forums/developer/discussion/167091/conflict-between-dfc-framework-and-slf4j I scrapped the log4j2 implementation and used this: https://www.slf4j.org/legacy.html#log4j-over-slf4j I removed the log4j1.x jar file and dependency in pom.xml. And I am able to see logs to console and logfile. – jms310 Jan 11 '22 at 21:30