Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

ClasscastException - org.apache.log4j.Logger cannot be cast to org.owasp.esapi.Logger - log4j to log4j2

Tags:

logging

log4j2

jboss7.x

esapi

I am working on upgrading log4j to log4j2. In that process I am getting a Logger Class cast exception. Below is the error.

Caused by: java.lang.ClassCastException: org.apache.log4j.Logger cannot be cast to org.owasp.esapi.Logger
    at org.owasp.esapi.reference.Log4JLogFactory.getLogger(Log4JLogFactory.java:88)
    at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:154)
    at org.owasp.esapi.reference.DefaultEncoder.<init>(DefaultEncoder.java:75)
    at org.owasp.esapi.reference.DefaultValidator.<clinit>(DefaultValidator.java:91)
    ... 45 more

In my old code( log4j properties file) I see a reference to this Logger. Below is the code that we have in our old code.

log4j.loggerFactory=org.owasp.esapi.reference.Log4JLoggerFactory

Now in log4j2 I am using log4j2.xml file and I didn't find any tag equivalent to that line. Could any please suggest me how to proceed?
Note: I am running my application in JBoss EAP 7

like image 551
ATK Avatar asked Jul 13 '17 16:07

ATK

People also ask

What is difference between log4j and Log4j2?

Community support: Log4j 1. x is not actively maintained, whereas Log4j 2 has an active community where questions are answered, features are added and bugs are fixed. Automatically reload its configuration upon modification without losing log events while reconfiguring.

Does Esapi use log4j?

(ESAPI has no dependency on Log4J 2.) The reason for this is we need to support backwards compatibility for our clients. There is a possibility that you could use ESAPI in a manner that makes it vulnerable to the multiple Log4J 2 CVEs if you configure ESAPI to use SLF4J along with an unpatched version of Log4J 2.

Does log4j 1.2 17 have vulnerability?

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.

1 Answers

You can switch the logger factory away from the Log4j1 factory in the ESAPI.properties file to something else in order to avoid this error. I haven't tried but I imagine you could create a custom logging factory that uses Log4j2.

The following example will configure ESAPI to use JUL logging, which avoids the ClassCastException:

ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory

like image 99
Travis Schneeberger Avatar answered Sep 18 '22 11:09

Travis Schneeberger
Sign in to Comment

Related questions

Apache historical connections log
Is Log4j a dead project? [closed]
Help me understanding python's logging module and its handlers
What are the advantages of using syslog over other logging facilites?
Liferay: what is the default approach for logging in Liferay?
Codeigniter - check if user is logged and exists (it's a real user)
log file empty when using log4j2
simplest way to log to tomcat catalina.out
how to redirect the logging output of xmlrpc server to some file
Where do DEBUG and INFO messages go when using Python's SyslogHandler on MAC OSX?
Is there a module to log errors in memory?
Control logging level by WebSphere admin console
Need to implement Custom Logger Wrapper in log4j2
Customizing pytest junitxml failure reports
vertx LoggerHandler not adding logback
Python logging: can dictConfig be read from a file?
How to disable logging?
How to implement a Global Python Logger?
Implementation and usage of logger wrapper for Serilog
How to get logger level as string value

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!