| << Back to previous view |
|
[QB-3802] Any guidence for log4j tracking issues?
|
|
| Status: | Closed |
| Project: | QuickBuild |
| Component/s: | None |
| Affects Version/s: | 10.0.15 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major |
| Reporter: | Cheolhee Jeon | Assigned To: | Robin Shen |
| Resolution: | Fixed | Votes: | 0 |
| Remaining Estimate: | Unknown | Time Spent: | Unknown |
| Original Estimate: | Unknown | ||
| Environment: | ubuntu 16.04 | ||
| Description |
|
Hello,
I've heard log4j issues happening few days ago. And I've checked our's log4j version that seems like 2.13.1 https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/ according to this channel, it said I should version up the log4j, and I can't find any guide for upgrading log4j for qb. Could you give me some? Thx |
| Comments |
| Comment by Robin Shen [ 13/Dec/21 02:11 AM ] |
| This has been fixed in 11.0.21 |
| Comment by Robin Shen [ 13/Dec/21 01:43 PM ] |
|
Fix also available in QB 10.0.37:
https://build.pmease.com/build/5400 |
| Comment by Cheolhee Jeon [ 14/Dec/21 12:49 AM ] |
|
Hello Robin,
I've got underneath error when I tried to upgrade qb server from 10.0.15 to 11.0.21 Do you have any solution for this? Thx. root@quickbuild-server-mig-test-6d98bf79cd-r54pn:/data/quickbuild-11.0.21/bin$ ./upgrade.sh /data/quickbuild-10.0.15 openjdk version "1.8.0_265" OpenJDK Runtime Environment (build 1.8.0_265-8u265-b01-0ubuntu2~16.04-b01) OpenJDK 64-Bit Server VM (build 25.265-b01, mixed mode) =========================================================== SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/LogManager at org.apache.log4j.helpers.FileWatchdog.start(FileWatchdog.java:49) at com.pmease.quickbuild.bootstrap.Bootstrap.init(Bootstrap.java:336) at com.pmease.quickbuild.bootstrap.Upgrade.main(Upgrade.java:418) Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.LogManager at java.net.URLClassLoader.findClass(URLClassLoader.java:382) at java.lang.ClassLoader.loadClass(ClassLoader.java:418) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:352) at java.lang.ClassLoader.loadClass(ClassLoader.java:351) ... 3 more |
| Comment by Cheolhee Jeon [ 14/Dec/21 01:23 AM ] |
|
It worked!
I've misunderstood the guidence which said "switch the bin sub folder" , so I switched bin folder from latest one, then upgrade.. Thx. |
| Comment by Robin Shen [ 14/Dec/21 01:27 AM ] |
| Thanks for the update. Just tested to see that everything works, and curious why it is not working at your side. :) |
| Comment by Cheolhee Jeon [ 14/Dec/21 01:39 AM ] |
|
I've coppied bin folder from quickbuild-10.0.15 to quickbuild-11.0.21 and then excute upgrade.sh under quickbuild-11.0.21/bin ..
so basically it cannot work at all. I've just catched what I missed, so I decompress the tar file again, and just upgrade.sh with new one. And it worked well :) |
| Comment by Cheolhee Jeon [ 21/Dec/21 12:09 AM ] |
|
Hello Robin,
I've heard that log4j 2.15.1 version also has another defect. So It should be going higher version. Does QB also have any plan for updating this? Thx |
| Comment by Robin Shen [ 21/Dec/21 02:28 AM ] |
|
Please upgrade to QB 10.0.39 which uses latest log4j 2.17.0:
https://build.pmease.com/build/5442 |
| Comment by Cheolhee Jeon [ 21/Dec/21 02:38 AM ] |
|
Hello Robin,
last time you said upgrade to 11.0.21. But this time you recommend me 10.0.39. Are there any update for Major 11 version of QB which uses log4j 2.17.0? Thx |
| Comment by Robin Shen [ 21/Dec/21 03:01 AM ] |
|
If you are using QB11, please upgrade to 11.0.25:
https://build.pmease.com/build/5439 |
| Comment by Cheolhee Jeon [ 21/Dec/21 04:19 AM ] |
|
Thx, Robin.
I've just update mine to 11.0.25 and it shows version up log4j too. |
| Comment by Robin Shen [ 21/Dec/21 04:45 AM ] |
| 11.0.25 is using log4j 2.17.0. What do you mean for "it shows version up log4j too"? |
| Comment by Cheolhee Jeon [ 21/Dec/21 04:53 AM ] |
|
I mean, It works good.
log4j's version was 2.17.0 in qb 11.0.25 :) |
| Comment by Robin Shen [ 21/Dec/21 06:01 AM ] |
| That is good, :) |