stackoom
  简体   繁体   中英

Lombok @Log4j2 annotation doesn't work with latest version of log4j (v2.15.0)

 原文  2021-12-11 02:11:32       java/ spring-boot/ lombok

Question

I upgraded the log4j dependency to the latest 2.15.0 version and now my Spring Boot application throws an error on start up

Exception in thread "main" java.lang.NoSuchFieldError: EMPTY_BYTE_ARRAY
    at org.apache.logging.log4j.core.config.ConfigurationSource.<clinit>(ConfigurationSource.java:56)
    at org.apache.logging.log4j.core.config.NullConfiguration.<init>(NullConfiguration.java:32)
    at org.apache.logging.log4j.core.LoggerContext.<clinit>(LoggerContext.java:85)
    at org.apache.logging.log4j.core.selector.ClassLoaderContextSelector.createContext(ClassLoaderContextSelector.java:254)
    at org.apache.logging.log4j.core.selector.ClassLoaderContextSelector.locateContext(ClassLoaderContextSelector.java:218)
    at org.apache.logging.log4j.core.selector.ClassLoaderContextSelector.getContext(ClassLoaderContextSelector.java:136)
    at org.apache.logging.log4j.core.selector.ClassLoaderContextSelector.getContext(ClassLoaderContextSelector.java:123)
    at org.apache.logging.log4j.core.selector.ClassLoaderContextSelector.getContext(ClassLoaderContextSelector.java:117)
    at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:150)
    at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:47)
    at org.apache.logging.log4j.LogManager.getContext(LogManager.java:194)
    at org.apache.logging.log4j.LogManager.getLogger(LogManager.java:581)
    at foo.bar.org.MyApp.<clinit>(MyApp.java:13)

Here is my main class

@Log4j2
@SpringBootApplication(exclude={DataSourceAutoConfiguration.class})
public class MyApp {

  public static void main(String[] args) {
    SpringApplication.run(MyApp.class, args);
  }
}

4 answers

solution1
 0  2021-12-11 03:19:46

This should not be a lombok issue. There should be a problem with your upgrade method.

The right way to upgrade log4j version:

For maven , set the log4j2.version property:

<properties>
    <log4j2.version>2.15.0</log4j2.version>
</properties>

For gradle :

ext['log4j2.version'] = '2.15.0'

Works for me.

Detail: Log4J2 Vulnerability and Spring Boot

More detail: Why you need to upgrade log4j version

solution2
 0  2021-12-12 13:56:29

In case you have the following in your pom.xml:

<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-api</artifactId>
    <version>2.15.0</version>
</dependency>
<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.15.0</version>
</dependency>

make sure that both have the same version. I forgot it for one (left the old version) and saw the same error.

solution3
 0  2021-12-13 03:02:18

  1. set the log4j2.version property:
<properties>
    <log4j2.version>2.15.0</log4j2.version>
</properties>
  1. fix pom.xml:
<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-api</artifactId>
    <version>${log4j2.version}</version>
</dependency>
<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>${log4j2.version}</version>
</dependency>

solution4
 0  2021-12-13 19:52:00

What worked for me was to exclude all transitive dependencies of conflicting version for log4j-api and log4j-core .
I've tracked them down with:
mvn dependency:tree -Dverbose -Dincludes=org.apache.logging.log4j:log4j-api
and
mvn dependency:tree -Dverbose -Dincludes=org.apache.logging.log4j:log4j-core
So I made sure that 2.15.0 version was the only version for both log4j dependencies across the project.

solution5
 0  2021-12-16 00:53:03

Our old project have the same problem with 2.15.0or 2.16.0,then we try 2.12.2 is ok,and this also fix the security vulnerability。 here the log4j site: https://logging.apache.org/log4j/2.x/

Mitigation

In version 2.12.2 Log4j disables access to JNDI by default. Usage of JNDI in configuration now need to be enabled explicitly. Calls to the JndiLookup will now return a constant string. Also, Log4j now limits the protocols by default to only java. The message lookups feature has been completely removed.

In version 2.16.0 Log4j disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly. Also, Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects. Hosts other than the local host need to be explicitly allowed. The message lookups feature has been completely removed.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Log4j2 vulnerability and Lombok annotation @log4j2 Log4j 1: How to mitigate the vulnerability in log4j without updating version to 2.15.0 log4j migration to log4j2 Log4j2 doesn't log into logfile Log4j Doesn't Log Messages After rebuild the jar file with log4j2 2.15.0 and redeploy the jar again old version of log4j2.11.1 is coming Spring boot Log4j2 version 2.15.0 EMPTY_BYTE_ARRAY error in wildfly server Log4j2 smtp appender doesn't work for root logger log4j vs log4j2: log to different file How to use log4j2 to log log4j logs
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM