log4j 보안 취약점 대응 가이드 및 매뉴얼 참고
KISA 인터넷 보호나라&KrCERT
KISA 인터넷 보호나라&KrCERT
www.boho.or.kr
기존 pom.xml
<properties>
<log4j.version>1.2.12</log4j.version>
</properties>
<dependencies>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>${log4j.version}</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.13</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.7.13</version>
<scope>test</scope>
</dependency>
</dependencies>최신 log4j 다운로드 경로
Log4j – Download Apache Log4j 2
<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apa
logging.apache.org
1. pom.xml 변경(라이브러리 추가/제거)
log4j 1.2.12 제거하고 log4j 2.17.2 버전으로 업데이트
( 참고로 현재 사용하고 있는 java 버전은 1.8)
log4j-1.2.12.jar 제거하고 log4j-api-2.17.2.jar , log4j-core-2.17.2.jar, log4j-web-2.17.2.jar 3개 추가
slf4j-log4j12-1.7.13.jar 제거하고 log4j-slf4j-impl-2.17.2.jar 추가
slf4j-api-1.7.13.jar 를 slf4j-api-1.7.25.jar로 변경
변경 pom.xml
<properties>
<log4j.version>2.17.2</log4j.version>
</properties>
<dependencies>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>${log4j.version}</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>${log4j.version}</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j-web</artifactId>
<version>${log4j.version}</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j-impl</artifactId>
<version>1.7.13</version>
<scope>test</scope>
</dependency>
</dependencies>local PC에서 진행 시 pom.xml 수정 후 maven Update 이용
2. log4j2.xml 추가
log4j-2.x 버전에서는 log4j2.xml 파일을 찾게 되므로
기존 경로 src/main/resources에 log4j2.xml 추가
* log4j.xml과 log4j2.xml 문법 다름
| AS-IS | TO-BE |
 |
 |
<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/" debug="false"> <appender name="stdout" class="org.apache.log4j.ConsoleAppender"> <layout class="org.apache.log4j.PatternLayout"> <param name="ConversionPattern" value="%d %-5p %-30c{2} (%-24M : %-5L) %3x : %m%n" /> </layout> </appender> |
<Configuration status="DEBUG"> <Appenders> <Console name="stdout" target="SYSTEM_OUT"> <PatternLayout pattern="%d %-5p %-30c{2} (%-24M : %-5L) %3x : %m%n" /> </Console> |
log4j.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">
<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/"
debug="false">
<appender name="stdout" class="org.apache.log4j.ConsoleAppender">
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %-30c{2} (%-24M : %-5L) %3x : %m%n" />
</layout>
</appender>
<appender name="default" class="org.apache.log4j.DailyRollingFileAppender">
<param name="file" value="${log.path}/framework/default.log" />
<param name="Append" value="true" />
<param name="DatePattern" value="'.'yyyy-MM-dd" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %-30c{2} (%-24M : %-5L) %3x : %m%n" />
</layout>
</appender>
<appender name="asyncLogFile" class="org.apache.log4j.AsyncAppender">
<param name="BufferSize" value="1024" />
<appender-ref ref="default" />
</appender>
<logger name="com.jein.framework.core" additivity="false">
<level value="INFO" />
<appender-ref ref="default" />
<appender-ref ref="stdout"/>
</logger>
<root>
<level value="ERROR" />
<appender-ref ref="stdout" />
</root>
</log4j:configuration>log4j2.xml
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="DEBUG">
<Appenders>
<Console name="stdout" target="SYSTEM_OUT">
<PatternLayout pattern="%d %-5p %-30c{2} (%-24M : %-5L) %3x : %m%n" />
</Console>
<RollingFile name="default" fileName="${log.path}/framework/default.log"
filePattern="${log.path}/framework/default.log.%d{yyyy-MM-dd}">
<PatternLayout pattern="${ConversionPattern}" />
<Policies>
<SizeBasedTriggeringPolicy size="10MB" />
<TimeBasedTriggeringPolicy module="true" interval="1"/>
</Policies>
</RollingFile>
</Appenders>
<Async name="asyncLogFile" includeLocation="true">
<AppenderRef ref="default" />
</Async>
<Loggers>
<logger name="com.jein.framework.core" level="INFO" additivity="false" >
<AppenderRef ref="default" />
<AppenderRef ref="stdout" />
</logger>
<Root level="ERROR" additivity="false" >
<AppenderRef ref="stdout" />
</Root>
</Loggers>
</Configuration>
3. 실행시 컴파일 에러해결 -> import 변경
log4j2로 업그레이드 하면서 AS-IS 에서 아래와 같이 선언해서 사용하던 logger에서 에러남
import org.apache.log4j.Logger;
public class Test {
private Logger logger = Logger.getLogger(Test .class);
public Test(Object request){
logger.info("here");
}
}TO-BE 변경 내용
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
public class Test {
private Logger logger = LogManager.getLogger(Test .class);
public Test(Object request){
logger.info("here");
}
}import org.apache.log4j.Logger; -> (log4j2) import org.apache.logging.log4j.Logger; 로 수정
Logger.gtLogger(); -> (log4j2) LogManager.getLogger () 로 수정
수정할 java파일이 너무많.....흑흑흑흑흑
위와 같이 변경 후 재실행하면 log4j2로 업그레이드 완료
'기타' 카테고리의 다른 글
| [HTML/CSS] fiex속성 사용하여 가로로 3등분 하기 (0) | 2022.04.08 |
|---|---|
| [Eclipse] 이클립스 화면(레이아웃) 설정 초기화 (0) | 2022.02.23 |
| [SVN] svn: E155004 locked 에러 해결 (0) | 2022.02.18 |
| [이클립스] search 시 .svn폴더 안보이게 하기 (0) | 2022.02.08 |
| [이클립스] 인코딩 설정(한글깨짐 해결) (0) | 2022.02.08 |