Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ClasscastException - org.apache.log4j.Logger cannot be cast to org.owasp.esapi.Logger - log4j to log4j2

I am working on upgrading log4j to log4j2. In that process I am getting a Logger Class cast exception. Below is the error.

Caused by: java.lang.ClassCastException: org.apache.log4j.Logger cannot be cast to org.owasp.esapi.Logger
    at org.owasp.esapi.reference.Log4JLogFactory.getLogger(Log4JLogFactory.java:88)
    at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:154)
    at org.owasp.esapi.reference.DefaultEncoder.<init>(DefaultEncoder.java:75)
    at org.owasp.esapi.reference.DefaultValidator.<clinit>(DefaultValidator.java:91)
    ... 45 more

In my old code( log4j properties file) I see a reference to this Logger. Below is the code that we have in our old code.

log4j.loggerFactory=org.owasp.esapi.reference.Log4JLoggerFactory

Now in log4j2 I am using log4j2.xml file and I didn't find any tag equivalent to that line. Could any please suggest me how to proceed?
Note: I am running my application in JBoss EAP 7

like image 551
ATK Avatar asked Jul 13 '17 16:07

ATK


People also ask

What is difference between log4j and Log4j2?

Community support: Log4j 1. x is not actively maintained, whereas Log4j 2 has an active community where questions are answered, features are added and bugs are fixed. Automatically reload its configuration upon modification without losing log events while reconfiguring.

Does Esapi use log4j?

(ESAPI has no dependency on Log4J 2.) The reason for this is we need to support backwards compatibility for our clients. There is a possibility that you could use ESAPI in a manner that makes it vulnerable to the multiple Log4J 2 CVEs if you configure ESAPI to use SLF4J along with an unpatched version of Log4J 2.

Does log4j 1.2 17 have vulnerability?

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.


1 Answers

You can switch the logger factory away from the Log4j1 factory in the ESAPI.properties file to something else in order to avoid this error. I haven't tried but I imagine you could create a custom logging factory that uses Log4j2.

The following example will configure ESAPI to use JUL logging, which avoids the ClassCastException:

ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory

like image 99
Travis Schneeberger Avatar answered Sep 18 '22 11:09

Travis Schneeberger