reload4j is a drop-in replacement for log4j 1.2.17

Related tags

Logging java logging

What is reload4j?

The reload4j project is a fork of Apache log4j version 1.2.17. It aims to fix the most urgent issues in log4j 1.2.17 which hasn't seen a new release since 2012. It will be a drop-in replacement for log4j.jar.

Note that End of Life (EOL) status of log4j 1.x was formally reaffirmed on January the 6th 2022, and given the need to fix critical issues in log4j 1.2.17, and the presence of several volunteers to do the work, it was decided to resuscitate log4j 1.x under the name "reload4j" as a drop-in replacement.

Project web-site:

You can see open issues can be found at open issues or report new issues in

All steps undertaken in the project are first published on jira and discussed on the mailing list.

  • Add .editorconfig and .gitattributes for consistent handling of whitespace and newlines

    Add .editorconfig and .gitattributes for consistent handling of whitespace and newlines

    This PR goes on top of #12, so I suggest merging #12 first or just updating branch_1.2.18 to b04ec2b89b3b4b1575ec7e7e02372c900d2a573e which includes both PRs.

    opened by vlsi 6
  • zookeeper 3.4.6 unable to start by replacing reload4j jar directly into binary.

    zookeeper 3.4.6 unable to start by replacing reload4j jar directly into binary.

    Our customer has concerns about the log4j vulnerabilities, we ran an activity and replaced all the log4j occurrences with the reload4j and those are working fine. But unfortunately we've some components like ( elastic-search/zookeeper/logstash ) and their binaries are using the log4j-1.2.16/17 rev. (zookeeper) and log4j-core-2.16.x/log4j-core-2.11.x (elastic-search/logstash). We successfully upgraded the elastic-search/logstash log4j version to log4j-core-2.17.1 ( by placing the higher version jars ) in lib directory but when we tried the same with zookeeper by replacing the log4j-1.2.16 with reload4j directly in lib and starts the zookeeper it throws the following exception:

    tail: /var/seamless/log/zookeeper/init.out: file truncated Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/log4j/jmx/HierarchyDynamicMBean at org.apache.zookeeper.jmx.ManagedUtil.registerLog4jMBeans( at org.apache.zookeeper.server.ZooKeeperServerMain.initializeAndRun( at org.apache.zookeeper.server.ZooKeeperServerMain.main( at org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun( at org.apache.zookeeper.server.quorum.QuorumPeerMain.main( Caused by: java.lang.ClassNotFoundException: org.apache.log4j.jmx.HierarchyDynamicMBean at at java.lang.ClassLoader.loadClass( at sun.misc.Launcher$AppClassLoader.loadClass( at java.lang.ClassLoader.loadClass( ... 5 more

    reload4j doesn't include the HierarchyDynamicMBean.class which causing this issue. Can someone please guide how we can fix this?


    opened by muneebamjad 5
  • Localization issues in tests

    Localization issues in tests

    When I try to execute the build locally I get the following error:

    [ERROR] Failures:
    [ERROR]   TestLogMF.testDebugDouble:458 expected:<Iteration 3[,]142> but was:<Iteration 3[.]142>
    [ERROR]   TestLogMF.testDebugFloat:446 expected:<Iteration 3[,]142> but was:<Iteration 3[.]142>
    [ERROR]   TestLogMF.testInfoDouble:702 expected:<Iteration 3[,]142> but was:<Iteration 3[.]142>
    [ERROR]   TestLogMF.testInfoFloat:690 expected:<Iteration 3[,]142> but was:<Iteration 3[.]142>
    [ERROR]   TestLogMF.testTraceDouble:249 expected:<Iteration 3[,]14> but was:<Iteration 3[.]14>
    [ERROR]   TestLogMF.testTraceFloat:235 expected:<Iteration 3[,]14> but was:<Iteration 3[.]14>

    I suppose this is a localization issue in the test case.

    opened by fipro78 5
  • cannot reproduce official binaries

    cannot reproduce official binaries

    reload4j has near full Reproducible Build:

    but there is only one strange difference:

    │ @@ -2,15 +2,14 @@
    │  Implementation-Vendor: QOS.CH Sarl (Switzerland)
    │ -Originally-Created-By: Apache Maven Bundle Plugin 5.1.4
    │  Export-Package: org.apache.log4j;version="1.2.22";uses:="org.apache.lo

    how was this Originally-Created-By field injected in published binaries? Should the rebuild script do more than just mvn package to get this field injected? (I did not see any profile for that in project's pom.xml)

    opened by hboutemy 4
  • logpresso identifies CVE-2021-4104

    logpresso identifies CVE-2021-4104

    I downloaded reload4j from Maven Central and executed logpresso [1] on it via

    log4j2-scan --scan-log4j1 reload4j-

    I get the following output:

    [?] Found CVE-2021-4104  (log4j 1.2) vulnerability in C:\Users\xxx\Downloads\reload4j\reload4j-, log4j N/A
    Scanned 0 directories and 1 files
    Found 0 vulnerable files
    Found 1 potentially vulnerable files
    Found 0 mitigated files
    Completed in 0.01 seconds

    I don't know how logpresso actually works to identify the issue. But as the intention of reload4j is to fix CVE-2021-4104, there seems to be some inconsistency. Not sure if the ticket is placed correctly here or if it should be opened in the logpresso repository. Any insights would be helpful to get a consistent view on the fix provided via reload4j to avoid confusions.


    opened by fipro78 4
  • CVE-2022-23307


    We used the scanning platform to scan the latest 1.2.19 version of reload4j and found the following CRITICAL vulnerabilities

    CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. CWE-502 Deserialization of Untrusted Data

    CVSSv2: Base Score: HIGH (10.0) Vector: /AV:N/AC:L/Au:N/C:C/I:C/A:C CVSSv3: Base Score: CRITICAL (9.8) Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    For details, see

    opened by zjfplayer 3
  • Request for Clarity on the Future for Reload4J

    Request for Clarity on the Future for Reload4J

    Thanks all for work in hardening this. I've been testing reload4j and it's very nice that it is a simple drop-in replacement - it works great.

    I note your statement that this is meant "to fix most pressing security issues. It is intended as a drop-in replacement for log4j version 1.2.17". I also read the comments about the Apache Software Foundation still considering log4j v1 as end of life. But I do note that SLF4J is now also supporting reload4J.

    With the recent log4jv2 issues the spot-light has been placed on all logging systems and our security team are not happy that slf4j v1 is end of life. If we go to the security team and recommend replacing our existing log4jv1 JARs with reload4j I know what they will ask next.

    Whilst I realise that, like most open-source, you probably do this in your spare time, would it be possible to clarify on the reload4j web site future plans. Is this still end-of-life, just a one shot replacement for log4jv1? Or will it now be a maintained (if needed) fork going forward - so no-longer end of life?

    I do realise this is "how long is a piece of string" question but just some clarity on the website would be very useful.

    opened by geoffblandrbs 3
  • Inform the update situation of CVE-2018-8088 (solved in slf4j 1.7.26 stable)

    Inform the update situation of CVE-2018-8088 (solved in slf4j 1.7.26 stable)

    Dear @qos-ch team,

    All websites do not have updated of CVE-2018-8088 situation:


    The problem was that you did not want to create a build in 1.7.x with the fix! It has been fixed in 1.7.26 (stable).

    And 1.8.0-beta4 (not 1.8.0-beta2).

    I think that today, you understand the problem of vulnerabilities / CVEs.

    Thanks in advance.

    opened by Neustradamus 3
  • log4j1 to reload4j causing Missing DocumentBuilderFactory.setFeature() method

    log4j1 to reload4j causing Missing DocumentBuilderFactory.setFeature() method

    Once i replace log4j1.x with reload4j, the application is unable to parse ang log4j.xml file giving the below exception. log4j:ERROR Failed to parse XML file. Missing DocumentBuilderFactory.setFeature() method?

    java.lang.AbstractMethodError: javax.xml.parsers.DocumentBuilderFactory.setFeature(Ljava/lang/String;Z)V

    at org.apache.log4j.xml.DOMConfigurator.doConfigure(
    at org.apache.log4j.xml.DOMConfigurator.doConfigure(
    at org.apache.log4j.helpers.OptionConverter.selectAndConfigure(
    at org.apache.log4j.LogManager.<clinit>(
    at org.apache.log4j.Logger.getLogger(
    at org.apache.commons.logging.impl.Log4JLogger.getLogger(
    at org.apache.commons.logging.impl.Log4JLogger.<init>(
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(
    at java.lang.reflect.Constructor.newInstance(
    at org.apache.commons.logging.impl.LogFactoryImpl.newInstance(
    at org.apache.commons.logging.impl.LogFactoryImpl.getInstance(
    at org.apache.commons.logging.impl.LogFactoryImpl.getInstance(
    at org.apache.commons.logging.LogFactory.getLog(
    opened by malathigv 2
  • programatic version is broken

    programatic version is broken

    Actually, it is broken since log4j:log4j:1.2.15 and above.

    The problem is that, due to error in the generated META-INF/MANIFEST.MF , it is not possible to determine the version of log4j / reload4j programatically. This is due to an invalide Name: entry in the manifest.

    This is a problem because it is then difficult to log, or access the reload4j version from code (for example, to check if you let the CVEs behind..)

    • version detection works with: Name: org/apache/log4j/
    • but is broken with the current: Name: org.apache.log4j

    I'm not sure if I can make a pull request on reload4j, put the following git diff fixes the problem for me:

    diff --git a/pom.xml b/pom.xml
    index 1f54ec10..579cedc5 100644
    --- a/pom.xml
    +++ b/pom.xml
    @@ -202,11 +202,19 @@
    +            <manifest>
    +              <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
    +            </manifest>
    +            <manifestSections>
    +              <manifestSection>
    +                <name>org/apache/log4j/</name>
    +              </manifestSection>
    +            </manifestSections>

    Sample code for programatically acessing the version (as for other maven artifacts), but only works with a built jar:

    	public void testLog4jVersion() {
    		String implementationVersion = org.apache.log4j.PatternLayout.class.getPackage().getImplementationVersion();
    opened by noname713705 2
  • Missing setFeature function in DocumentBuilderFactory

    Missing setFeature function in DocumentBuilderFactory

    Certain older DocumentBuilderFactory implementations lack the setFeature function. This causes an AbstractMethodError method to be thrown in org.apache.log4j.xml.DOMConfigurator.doConfigure(ParseAction, LoggerRepository)

    Instead of letting the user identify the issue, better to catch and report this

    opened by ceki 2
  • org.apache.log4j.helpers.Loader.isJava1() returns true on Java 19 and other versions

    org.apache.log4j.helpers.Loader.isJava1() returns true on Java 19 and other versions

    If the Java version string doesn't include a decimal point, reload4j incorrectly identifies it as Java 1. The initial version of each major release no longer includes a decimal point (since around Java 10 or 11), so reload4j incorrectly identifies these as Java 1 (circa 1995).

    |  Welcome to JShell -- Version 19
    |  For an introduction type: /help intro
    jshell> System.getProperty("java.version")
    $1 ==> "19"
    jshell> org.apache.log4j.helpers.Loader.isJava1()
    $2 ==> true

    The simplest fix would be to make isJava1() always return false, since the reload4j website indicates that build targets Java 1.5, so the classfiles won't even work on Java 1.

    bug documentation 
    opened by pburka 3
  • oss-fuzz integration

    oss-fuzz integration

    Hi all,

    we have prepared the Initial Integration of reload4j into Google OSS-Fuzz which will provide more security for your project.

    Why do you need Fuzzing? The Code Intelligence JVM fuzzer Jazzer has already found hundreds of bugs in open source projects including for example OpenJDK, Protobuf or jsoup. Fuzzing proved to be very effective having no false positives. It provides a crashing input which helps you to reproduce and debug any finding easily. The integration of your project into the OSS-Fuzz platform will enable continuous fuzzing of your project by Jazzer.

    What do you need to do? The integration requires the maintainer or one established project commiter to deal with the bug reports.

    You need to create or provide one email address that is associated with a google account as per here. When a bug is found, you will receive an email that will provide you with access to ClusterFuzz, crash reports, code coverage reports and fuzzer statistics. More than 1 person can be included.

    How Code Intelligence can support? We will continue to add more fuzz targets to improve code coverage over time. Furthermore, we are permanently enhancing fuzzing technologies by developing new fuzzers and more bug detectors.

    Please let me know if you have any questions regarding fuzzing or the OSS-Fuzz integration.

    opened by aschaich 0
  • AppenderAttachable contract changed by performance improvement

    AppenderAttachable contract changed by performance improvement

    appenderList is now never null:

    Which means that code that used getAllAppenders() == null to decide if appenders were not configured now doesn't work ( we have programmatic configuration of loggers happening). It should be initialized here to keep the existing nullability behaviour:

    opened by DanielThomas 2
  • Performance improvement in Category callAppenders()

    Performance improvement in Category callAppenders()


    We just got a bottleneck in production with 2000+ threads blocked waiting on the lock in the synchronized block of callAppenders() in Category.

    This never happend before to us, including in stress tests.

    However, I seem to think a small performance improvement could be made with a simple open call (if I'm reading the code correctly).

        public void callAppenders(LoggingEvent event) {
    	int writes = 0;
    	for (Category c = this; c != null; c = c.parent) {
    	    // Protected against simultaneous call to addAppender, removeAppender,...
            // open call, read the values under lock:
            AppenderAttachableImpl aai;
            boolean additive;
    	    synchronized (c) {
                aai = c.aai;
                additive = c.additive;
            // open call
            if (aai != null) {
                writes += aai.appendLoopOnAppenders(event);
            if (!additive) {

    Since aai is final and is a thread-safe data structure, we only want correct visibility of the aai and additive fields and we don't need to block the whole category object while calling appendLoopOnAppenders.

    What do you think?

    Best regards, Dominique

    opened by lauredogit 3
  • Reload4j doesnot have this package org.apache.log4j.lf5.viewer.categoryexplorer

    Reload4j doesnot have this package org.apache.log4j.lf5.viewer.categoryexplorer


    Currently I have updated my project from log4j 1.7 to reload4j1.9 everything works fine but one functionality breaks Exception in thread "AWT-EventQueue-2" java.lang.NoClassDefFoundError: org/apache/log4j/lf5/viewer/categoryexplorer/TreeModelAdapter

    I have checked and found that reload doesn't contain this package Any help will be appreciated

    opened by sheenamo 1
QOS.CH (Switzerland)
QOS.CH (Switzerland)
Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor

Apache Log4j 2 Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many of the

Alvaro Muñoz 5 Oct 21, 2022
FST: fast java serialization drop in-replacement

fast-serialization up to 10 times faster 100% JDK Serialization compatible drop-in replacement (Ok, might be 99% ..). As an example: Lambda Serializat

moru0011 1.5k Dec 15, 2022
A free, simple-to-use drop-in replacement to DeluxeChat for HEX supported chat.

ChitChat A lightweight, simple-to-use chat plugin for Spigot and Paper Minecraft Servers - that supports 1.16+ hex-based styling, tooltips, click comm

Charlie Joseph 4 Dec 11, 2022
The Apache Software Foundation 3k Jan 4, 2023
log4j-scanner is a project derived from other members of the open-source community by CISA's Rapid Action Force team to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.

Log4j Scanner This repository provides a scanning solution for the log4j Remote Code Execution vulnerabilities (CVE-2021-44228 & CVE-2021-45046). The

Cybersecurity and Infrastructure Security Agency 1.3k Dec 22, 2022
Oxygen-log4j-patcher - A tool that upgrades the log4j from an Oxygen installation to version 2.16

Oxygen XML Patch Tool for Apache Log4j vulnerability CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 This is a tool that updates the log4j version 2

oXygen XML Editor 3 Jan 10, 2022
Log4j-payload-generator - Log4j jndi injects the Payload generator

0x01 简介 log4j-payload-generator是 woodpecker框架 生产log4 jndi注入漏洞payload的插件。目前可以一键生产以下5类payload。 原始payload {[upper|lower]:x}类型随机混payload {[upper|lower]:x}

null 469 Dec 30, 2022
Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor

Apache Log4j 2 Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many of the

Alvaro Muñoz 5 Oct 21, 2022
Realm is a mobile database: a replacement for SQLite & ORMs

Realm is a mobile database that runs directly inside phones, tablets or wearables. This repository holds the source code for the Java version of Realm

Realm 11.4k Jan 5, 2023
Joda-Time is the widely used replacement for the Java date and time classes prior to Java SE 8.

Joda-Time Joda-Time provides a quality replacement for the Java date and time classes. The design allows for multiple calendar systems, while still pr 4.9k Dec 27, 2022
Easy-to-use placeholder library to focus on replacement of regular expressions inside a text.

WPlaceholder Flexible library to replace placeholders inside messages/texts with Regex expressions. For what it's good for Placeholder replacement is

Luiz Otávio 7 Oct 11, 2022
Teste tcs loja REST/Endpoints/Postman/log4j/java/hibernate/H2

# Aplicativo REST API LOJA (Cliente, Produto, Pedido, Itens do Pedido) Requerimentos Para construir e executar a aplicação você precisa: JDK 11 Maven

Magno Weege 2 Jul 8, 2022
Small example repo for looking into log4j CVE-2021-44228

log4j CVE-2021-44228 Lame useless repo to look into log4j CVE-2021-44228. Setup The repository contains a .idea/ folder which is a IntelliJ IDEA proje

null 65 Dec 13, 2022
Scan and patch tool for CVE-2021-44228 and related log4j concerns.

A Log4J2 CVE-2021-44228 Vulnerability Scanner and Patcher Links to download the latest version: Linux x64 with glibc2.17+ (RHEL7+) Windows & all other

SAS Software 33 Jun 1, 2022
A singular file to protect as many Minecraft servers and clients as possible from the Log4j exploit (CVE-2021-44228).

MC-Log4J-Patcher The goal of this project is to provide Minecraft players, and server owners, peace of mind in regards to the recently discovered Log4

Koupa Taylor 4 Jan 4, 2022
基于 spring-boot-starter-log4j2:2.6.1 (log4j 2.14.1)

Log4j 2 CVE-2021-44228 测试样本应用 基于 spring-boot-starter-log4j2:2.6.1 (log4j 2.14.1) 可用接口 接口 请求方法 参数 vulnerable_request_get GET v=payload vulnerable_reque

Zhangzhe 3 Mar 23, 2022
Log4J CVE-2021-44228 Minecraft PoC

CVE-2021-44228 in Minecraft Java 16 Paper server build #397 Minecraft 1.17.1 Exploitation In Java 16 only deserialization attacks work by default usin

myxl 5 Feb 15, 2022
Log4j CVE-2021-44228 examples: Remote Code Execution (through LDAP, RMI, ...), Forced DNS queries, ...

Log4j CVE-2021-44228 and CVE-2021-45046 Requisites Use a vulnerable JDK, for instance JDK 1.8.0_181 Usage Malicious server The malicious server deploy

Manuel Álvarez Álvarez 5 Feb 7, 2022
CVE-2021-44228 - Apache log4j RCE quick test

Build ./ Start log4j RCE Server ./ Test Run java -cp log4j-rce-1.0-SNAPSHOT-all.jar log4j Check if you get logs in ha

Jeffrey Li 3 Feb 1, 2022