{"id":15096950,"url":"https://github.com/apache/logging-log4j1","last_synced_at":"2025-10-08T02:30:45.267Z","repository":{"id":574277,"uuid":"206384","full_name":"apache/logging-log4j1","owner":"apache","description":"Apache log4j1","archived":true,"fork":false,"pushed_at":"2023-01-03T18:51:42.000Z","size":14229,"stargazers_count":868,"open_issues_count":12,"forks_count":576,"subscribers_count":110,"default_branch":"main","last_synced_at":"2025-10-06T00:36:48.630Z","etag":null,"topics":["log4j"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"hermanschaaf/cedict","license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/apache.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2009-05-21T01:31:38.000Z","updated_at":"2025-10-02T09:14:38.000Z","dependencies_parsed_at":"2023-01-11T15:47:22.576Z","dependency_job_id":null,"html_url":"https://github.com/apache/logging-log4j1","commit_stats":null,"previous_names":["apache/log4j"],"tags_count":73,"template":false,"template_full_name":null,"purl":"pkg:github/apache/logging-log4j1","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Flogging-log4j1","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Flogging-log4j1/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Flogging-log4j1/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Flogging-log4j1/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/apache","download_url":"https://codeload.github.com/apache/logging-log4j1/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Flogging-log4j1/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278877498,"owners_count":26061457,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-08T02:00:06.501Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["log4j"],"created_at":"2024-09-25T16:02:50.441Z","updated_at":"2025-10-08T02:30:44.470Z","avatar_url":"https://github.com/apache.png","language":"Java","funding_links":[],"categories":["日志库"],"sub_categories":[],"readme":"# Apache Log4j 1\n\nDear Log4j community,\n\nWhile working on the December 2021 Apache Log4j 2 releases the Apache\nLogging Services PMC received requests to reevaluate the 2015\nEnd-of-Life (EOL) decision for Apache Log4j 1, which has seen its\nlatest release in 2012.\n\nWe have considered these requests and discussed various options.\nUltimately we came to the unanimous decision that the only sustainable\napproach is to continue to focus on Log4j 2. The PMC hereby reconfirms\nthe 2015 EOL announcement of Log4j 1, meaning no resources will be\ninvested into the Log4j 1 codebase. We encourage users to update to\nrecent versions of Log4j 2. We welcome every effort to contribute to\nthe Log4j community. Please use the developer mailing lists to get in\ntouch: https://logging.apache.org/log4j/2.x/mail-lists.html\n\nThe Log4j 1 source code will continue to be publicly available but\nPull Requests will be closed as \"Won't Fix\". The Apache License allows\nfor code forks that respect Apache Software Foundation Trademarks.\n\nHere are some of the reasons we believe this is the right choice for\nthe Log4j project:\n\n## Log4j 2 supports migration from Log4j 1\n\nWe've made improvements to\nhttps://logging.apache.org/log4j/2.x/manual/migration.html to better\nexplain the process. Many users are not aware that Log4j 2 now\nsupports Log4j 1 configuration files, since this feature is relatively\nnew. We believe most applications using Log4j 1 can now simply replace\nthe Log4j 1.x jar with Log4j 2 jars and be able to run. Users are\nencouraged to contact us through the project mailing lists\n(https://logging.apache.org/log4j/2.x/mail-lists.html) if there are\nadditional areas for improvement.\n\n## Log4j 1 deadlock and multithreading design limitations\n\nThe decision to relaunch the Log4j project as Log4j 2 meant we had an\nopportunity to correct long standing design deficiencies. One of these\nfundamental design deficiencies has to do with how to handle\nmultithreading within the library. The following mailing list question\nis but one example of known multithreading issues with Log4j 1:\nhttps://lists.apache.org/thread/7yqrmzqgzpxmbcc7skl0vr8z33fk4hd4\n\n## High-complexity Log4j 1 bugs\n\nIn addition to the items listed, many other issues can be found in\nBugzilla: https://bz.apache.org/bugzilla\n\n| Issue | Description |\n| ----- | ----------- |\n| 50213 | Category callAppenders synchronization causes java.lang.Thread.State: BLOCKED |\n| 46878 | Deadlock in 1.2.15 caused by AsyncAppender and ThrowableInformation classes |\n| 41214 | Deadlock with RollingFileAppender |\n| 44700 | Log4J locks rolled log files (files can’t be deleted) |\n| 49481 | Log4j stops writing to file, and then causes server to lockup |\n| 50323 | Vulnerability in NTEventLogAppender |\n| 50463 | AsyncAppender causing deadlock when dispatcher thread dies |\n| 50858 | Classloader leak when using Log4j in a webapp container such as Tomcat, WebLogic |\n| 52141 | [STUCK] ExecuteThread...Blocked trying to get lock: org/apache/log4j/Logger@0xc501e0a8[fat lock] |\n| 54009 | Thread is getting Blocked |\n| 54325 | Concurrency issues in AppenderAttachableImpl |\n\n## Complexities with Log4j 1 build system that could impact binary compatibility\n\nApart from the issues listed above, Log4j 1 suffers from a challenging\nbuild system designed around long outdated versions of Java and\noperating system specific Appenders that the current development team\ncannot support. Taking shortcuts in proposed fixes means an updated\nrelease would not support all the environments of the original 1.2.x\nrelease. Patches to Log4j 1 would also have to be compatible with the\nexisting Log4j 2 migration path.\n\n## Limited Log4j 1 community\n\nThe Apache Logging PMC and committer community has been focused on the\nsuccess of Log4j 2 for nearly a decade. There had been little to no\ninterest in Log4j 1 in the years leading up to the 2015 EOL\nannouncement. While there might be people interested in working\nindependently on Log4j 1, until the Logging Services community can\ngauge the merit of those contributors, the PMC would have to review\nand apply all patches, drive the release process, and provide future\nsupport. We feel that effort is better spent improving non-legacy\ncode. We welcome community contributions in the migration components\nfor better tooling and support.\n\n## Unfixed Vulnerabilities\n\nSeveral security vulnerabilities have been discovered in Log4j 1.x\nsince it was declared end of life. The following table lists the\nCVEs published about these issues.\n\n| Severity | CVE | Summary |\n|----------|-----|---------|\n| High | [CVE-2019-17571](https://www.cve.org/CVERecord?id=CVE-2019-17571) | SocketServer is vulnerable to a remote code execution vulnerability when an attacker can craft malicious serialized log events and send them to a listening SocketServer instance. |\n| Moderate | [CVE-2020-9488](https://www.cve.org/CVERecord?id=CVE-2020-9488) | SMTPAppender is vulnerable to a man-in-the-middle attack when using SMTPS due to lack of hostname verification in the TLS certificate. |\n| High | [CVE-2021-4104](https://www.cve.org/CVERecord?id=CVE-2021-4104) | JMSAppender is vulnerable to a remote code execution vulnerability when an attacker controls either the configuration file or target LDAP server used for setting the TopicBindingName and TopicConnectionFactoryBindingName configurations. |\n| High | [CVE-2022-23302](https://www.cve.org/CVERecord?id=CVE-2022-23302) | JMSSink is vulnerable to a remote code execution vulnerability when an attacker controls either the configuration file or target LDAP server used for setting the TopicConnectionFactoryBindingName configurations. |\n| High | [CVE-2022-23305](https://www.cve.org/CVERecord?id=CVE-2022-23305) | JDBCAppender is vulnerable to a SQL injection vulnerability when an attacker can craft a malicious log message written to a JDBCAppender. |\n| Critical | [CVE-2022-23307](https://www.cve.org/CVERecord?id=CVE-2022-23307) | Chainsaw versions bundled with Log4j prior to Chainsaw 2.1.0 are vulnerable to a remote code execution vulnerability when an attacker sends malicious serialized log events. See also [CVE-2020-9493](https://www.cve.org/CVERecord?id=CVE-2020-9493) for the CVE affecting the standalone version of Apache Chainsaw. |\n\n\nRegards,\u003cbr /\u003e\nRon\n\nThe Apache Software Foundation\u003cbr /\u003e\nV.P., Logging Services\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapache%2Flogging-log4j1","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fapache%2Flogging-log4j1","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapache%2Flogging-log4j1/lists"}