ICEfaces-EE
  1. ICEfaces-EE
  2. IPCK-569

Remove legacy dependencies on log4j library

          Details

          • Type: Improvement Improvement
          • Status: Open
          • Priority: Major Major
          • Resolution: Unresolved
          • Affects Version/s: EE-3.3.0.GA, EE-4.3.0.GA
          • Fix Version/s: EE-3.3.0.GA_P10
          • Component/s: Project Templates, Release
          • Labels:
            None
          • Environment:
            ICEfaces EE

            Description

            The ICEfaces EE 3.3.0.GA and EE 4.3.0.GA bundles currently include references to the Apache log4j 1.x library.

            This JIRA is to review log4j's usage in these bundles and remove if feasible to reduce exposure to any possible log4j exploit concerns.

              Activity

              Hide
              Permalink
              Ken Fyten added a comment -

              ICEfaces EE 3.3.0.GA_P09

              The log4j library is referenced in the following locations in the binary bundle:

              • /projectbuilder/lib/log4j-1.2.16.jar
              • /projectbuilder/conf/ant/build.xml 
                	
	<patternset id="showcase.jars">
		<include name="jhighlight-1.0.jar"/>
		<include name="log4j-1.2.9.jar"/>

              ICEfaces EE 4.3.0.GA_P03

              The log4j library is included in the icepush-ee/lib folder in the icefaces-ee-4.3.0.GA_P09-src.zip bundle only, and has the following manifest:

              Name: org.apache.log4j
Implementation-Title: log4j
Implementation-Vendor: "Apache Software Foundation"
Implementation-Version: 1.2.15

              As it is used during development/debugging of icepush-ee only, the binary bundle has no references to it.

              Show
              Ken Fyten added a comment - ICEfaces EE 3.3.0.GA_P09 The log4j library is referenced in the following locations in the binary bundle: /projectbuilder/lib/log4j-1.2.16.jar /projectbuilder/conf/ant/build.xml <patternset id= "showcase.jars" > <include name= "jhighlight-1.0.jar" /> <include name= "log4j-1.2.9.jar" /> ICEfaces EE 4.3.0.GA_P03 The log4j library is included in the icepush-ee/lib folder in the icefaces-ee-4.3.0.GA_P09-src.zip bundle only, and has the following manifest: Name: org.apache.log4j Implementation-Title: log4j Implementation-Vendor: "Apache Software Foundation" Implementation-Version: 1.2.15 As it is used during development/debugging of icepush-ee only, the binary bundle has no references to it.

                People

                • Assignee:
                  Ken Fyten
                  Reporter:
                  Ken Fyten
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated: