zookeeper 3.4.6 unable to start by replacing reload4j jar directly into binary.

[muneebamjad]

Our customer has concerns about the log4j vulnerabilities, we ran an activity and replaced all the log4j occurrences with the reload4j and those are working fine. But unfortunately we've some components like ( elastic-search/zookeeper/logstash ) and their binaries are using the log4j-1.2.16/17 rev. (zookeeper) and log4j-core-2.16.x/log4j-core-2.11.x (elastic-search/logstash). We successfully upgraded the elastic-search/logstash log4j version to log4j-core-2.17.1 ( by placing the higher version jars ) in lib directory but when we tried the same with zookeeper by replacing the log4j-1.2.16 with reload4j directly in lib and starts the zookeeper it throws the following exception:

tail: /var/seamless/log/zookeeper/init.out: file truncated Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/log4j/jmx/HierarchyDynamicMBean at org.apache.zookeeper.jmx.ManagedUtil.registerLog4jMBeans(ManagedUtil.java:50) at org.apache.zookeeper.server.ZooKeeperServerMain.initializeAndRun(ZooKeeperServerMain.java:74) at org.apache.zookeeper.server.ZooKeeperServerMain.main(ZooKeeperServerMain.java:52) at org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:116) at org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:78) Caused by: java.lang.ClassNotFoundException: org.apache.log4j.jmx.HierarchyDynamicMBean at java.net.URLClassLoader.findClass(URLClassLoader.java:381) at java.lang.ClassLoader.loadClass(ClassLoader.java:424) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) ... 5 more

reload4j doesn't include the HierarchyDynamicMBean.class which causing this issue. Can someone please guide how we can fix this?

Thanks

[muneebamjad]

just saw the prior commits and it has been removed under 1.2.18.4. So the only workaround is to use 1.2.18.3 which has these files. No wonder why these packages has been removed in higher releases.

[ceki]

@muneebamjad As you write, the org.apache.log4j.jmx package was removed in 1.2.18.4. It was removed because the code is deemed of relatively poor quality and as a potential source for vulnerabilities.

[muneebamjad]

@ceki thanks for your quick response. Now i'm afraid of also using 1.2.18.3, as this release has jmx package which means it still has vulnerabilities. I looked into the latest stable zookeeper 3.7.0 binary and they're still using the log4j-1.2.17. In their latest released ( 3.8.0 ) they moved to logback & slf4j impl. Could you please guide me what should I do now for this particular scenario? For now I've placed 1.2.18.3 in zookeeper's /lib/. it started with reload4j but again wonder with jmx vulnerably.

[123Haynes]

@muneebamjad you can try setting the system property zookeeper.jmx.log4j.disable to true .
That way zookeeper won't try to register those mbeans.

See here for the relevant docs: https://github.com/apache/zookeeper/blob/master/zookeeper-docs/src/main/resources/markdown/zookeeperJMX.md#log4j-mbeans-deprecated

[muneebamjad]

@123Haynes for the comment you added. I tried and it worked with the latest reload4j (1.2.19) . I'm closing this ticket with this comment. Thanks Haynes for your time and guiding us. Much appreciated