Oxygen Author Eclipse 23.0 with log4j fix
Having trouble installing Oxygen? Got a bug to report? Post it all here.
-
mu258770
- Posts: 157
- Joined: Mon Aug 18, 2014 4:11 pm
Oxygen Author Eclipse 23.0 with log4j fix
Hi team,
We are using Oxygen Author 23.0 ZIP distribution package for Eclipse in our setup currently. We have seen that the vulnerable log4j version is used in this Oxygen package.
We have seen you already released 23.1 and 24.0 with the fixes. But upgrading 23.0 to 23.1 in our setup would be time taking.
Could you please let us know if you have new build for Oxygen Author 23.0 for Eclipse? Or is there any solution for this version?
Regards,
Shabeer
We are using Oxygen Author 23.0 ZIP distribution package for Eclipse in our setup currently. We have seen that the vulnerable log4j version is used in this Oxygen package.
We have seen you already released 23.1 and 24.0 with the fixes. But upgrading 23.0 to 23.1 in our setup would be time taking.
Could you please let us know if you have new build for Oxygen Author 23.0 for Eclipse? Or is there any solution for this version?
Regards,
Shabeer
-
Radu
- Posts: 9434
- Joined: Fri Jul 09, 2004 5:18 pm
Re: Oxygen Author Eclipse 23.0 with log4j fix
Hi Shabeer,
We will not issue installation kits for 23.0 with the updated logging libraries so my recommendation is to use 23.1.
As a workaround you can set a certain system property in the eclipse.ini or set an environmental variable when starting Eclipse as it's mentioned here:
https://blog.oxygenxml.com/topics/oxyge ... s_faq.html
Regards,
Radu
We will not issue installation kits for 23.0 with the updated logging libraries so my recommendation is to use 23.1.
As a workaround you can set a certain system property in the eclipse.ini or set an environmental variable when starting Eclipse as it's mentioned here:
https://blog.oxygenxml.com/topics/oxyge ... s_faq.html
Regards,
Radu
Radu Coravu
<oXygen/> XML Editor
http://www.oxygenxml.com
<oXygen/> XML Editor
http://www.oxygenxml.com
-
mu258770
- Posts: 157
- Joined: Mon Aug 18, 2014 4:11 pm
Re: Oxygen Author Eclipse 23.0 with log4j fix
Hi Radu,
Thank you for the response.
We have upgraded Oxygen to 23.1 from 23.0 and we see it uses log4j 2.16.
We also got information that apache has releases 2.17.0 version of log4j and is more secure. Could you please let us know if you are planning to upgrade it in Oxygen Authors? If so, when it can be? If it is available for 23.1 already, could you please share me the download link?
Regards,
Shabeer
Thank you for the response.
We have upgraded Oxygen to 23.1 from 23.0 and we see it uses log4j 2.16.
We also got information that apache has releases 2.17.0 version of log4j and is more secure. Could you please let us know if you are planning to upgrade it in Oxygen Authors? If so, when it can be? If it is available for 23.1 already, could you please share me the download link?
Regards,
Shabeer
-
tavy
- Posts: 388
- Joined: Thu Jul 01, 2004 12:29 pm
Re: Oxygen Author Eclipse 23.0 with log4j fix
Hello Shabeer,
The flaw in log4j 2.16 that was resolved in 2.17 regards a denial of service vulnerability when the logging configuration uses a non-default Pattern Layout with a Context Lookup.
Please see: https://www.oxygenxml.com/security/advi ... 45105.html
Oxygen products use a log4j configuration that does not change the default Pattern Layout. The vulnerability cannot be exploited unless a trusted party explicitly modifies the logging configuration to use a Pattern Layout with a Context Lookup. For this reason we have rated the severity level of this vulnerability for our products as low.
Since this is not a security issue for desktop applications, a security maintenance will not be issued for our desktop products at this time. By desktop applications I refer to Oxygen XML Editor/Author/Developer/Publishing Engine/WebHelp/Chemistry.
Nonetheless, future maintenance builds for our products that are still under maintenance will update log4j to 2.17 or later.
If you want to mitigate the issue and replace the log4j libraries with 2.17 at this time, please see the Mitigation section from the security advisory.
Best Regards,
Octavian
The flaw in log4j 2.16 that was resolved in 2.17 regards a denial of service vulnerability when the logging configuration uses a non-default Pattern Layout with a Context Lookup.
Please see: https://www.oxygenxml.com/security/advi ... 45105.html
Oxygen products use a log4j configuration that does not change the default Pattern Layout. The vulnerability cannot be exploited unless a trusted party explicitly modifies the logging configuration to use a Pattern Layout with a Context Lookup. For this reason we have rated the severity level of this vulnerability for our products as low.
Since this is not a security issue for desktop applications, a security maintenance will not be issued for our desktop products at this time. By desktop applications I refer to Oxygen XML Editor/Author/Developer/Publishing Engine/WebHelp/Chemistry.
Nonetheless, future maintenance builds for our products that are still under maintenance will update log4j to 2.17 or later.
If you want to mitigate the issue and replace the log4j libraries with 2.17 at this time, please see the Mitigation section from the security advisory.
Best Regards,
Octavian
Octavian Nadolu
<oXygen/> XML Editor
http://www.oxygenxml.com
<oXygen/> XML Editor
http://www.oxygenxml.com
-
mu258770
- Posts: 157
- Joined: Mon Aug 18, 2014 4:11 pm
Re: Oxygen Author Eclipse 23.0 with log4j fix
Hi,
Thank you for the details.
We have also seen a new patcher developed by Radu which replaces log4j version with latest one.
We have run the patcher and that Log4J versions in our Oxygen Author 23.1 Eclipse plugin got replaced. But after we launch the application, Oxygen author stopped loading and it shows "ClassNotFoundException".
Please see the error messages below:
Could you please let us know why the patcher is not working with our Oxygen Author 23.1 Eclipse plugin.
Regards,
Shabeer
Thank you for the details.
We have also seen a new patcher developed by Radu which replaces log4j version with latest one.
We have run the patcher and that Log4J versions in our Oxygen Author 23.1 Eclipse plugin got replaced. But after we launch the application, Oxygen author stopped loading and it shows "ClassNotFoundException".
Please see the error messages below:
Code: Select all
org.eclipse.core.runtime.CoreException: Plug-in com.oxygenxml.author was unable to load class com.oxygenxml.editor.editors.xml.XMLEditor.
at org.eclipse.core.internal.registry.osgi.RegistryStrategyOSGI.throwException(RegistryStrategyOSGI.java:194)
at org.eclipse.core.internal.registry.osgi.RegistryStrategyOSGI.createExecutableExtension(RegistryStrategyOSGI.java:176)
at org.eclipse.core.internal.registry.ExtensionRegistry.createExecutableExtension(ExtensionRegistry.java:905)
at org.eclipse.core.internal.registry.ConfigurationElement.createExecutableExtension(ConfigurationElement.java:243)
at org.eclipse.core.internal.registry.ConfigurationElementHandle.createExecutableExtension(ConfigurationElementHandle.java:55)
at org.eclipse.ui.internal.WorkbenchPlugin.lambda$0(WorkbenchPlugin.java:288)
at org.eclipse.swt.custom.BusyIndicator.showWhile(BusyIndicator.java:70)
at org.eclipse.ui.internal.WorkbenchPlugin.createExtension(WorkbenchPlugin.java:285)
at org.eclipse.ui.internal.registry.EditorDescriptor.createEditor(EditorDescriptor.java:232)
at org.eclipse.ui.internal.EditorReference.createPart(EditorReference.java:329)
at org.eclipse.ui.internal.e4.compatibility.CompatibilityPart.createPart(CompatibilityPart.java:293)
at org.eclipse.ui.internal.e4.compatibility.CompatibilityEditor.createPart(CompatibilityEditor.java:63)
at org.eclipse.ui.internal.e4.compatibility.CompatibilityPart.create(CompatibilityPart.java:331)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.eclipse.e4.core.internal.di.MethodRequestor.execute(MethodRequestor.java:55)
at org.eclipse.e4.core.internal.di.InjectorImpl.processAnnotated(InjectorImpl.java:990)
at org.eclipse.e4.core.internal.di.InjectorImpl.processAnnotated(InjectorImpl.java:955)
at org.eclipse.e4.core.internal.di.InjectorImpl.inject(InjectorImpl.java:124)
at org.eclipse.e4.core.internal.di.InjectorImpl.internalMake(InjectorImpl.java:399)
at org.eclipse.e4.core.internal.di.InjectorImpl.make(InjectorImpl.java:318)
at org.eclipse.e4.core.contexts.ContextInjectionFactory.make(ContextInjectionFactory.java:162)
at org.eclipse.e4.ui.internal.workbench.ReflectionContributionFactory.createFromBundle(ReflectionContributionFactory.java:105)
at org.eclipse.e4.ui.internal.workbench.ReflectionContributionFactory.doCreate(ReflectionContributionFactory.java:74)
at org.eclipse.e4.ui.internal.workbench.ReflectionContributionFactory.create(ReflectionContributionFactory.java:56)
at org.eclipse.e4.ui.workbench.renderers.swt.ContributedPartRenderer.createWidget(ContributedPartRenderer.java:129)
at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.createWidget(PartRenderingEngine.java:992)
at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.safeCreateGui(PartRenderingEngine.java:661)
at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.safeCreateGui(PartRenderingEngine.java:767)
at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.access$0(PartRenderingEngine.java:738)
at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine$2.run(PartRenderingEngine.java:732)
at org.eclipse.core.runtime.SafeRunner.run(SafeRunner.java:42)
at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.createGui(PartRenderingEngine.java:716)
at org.eclipse.e4.ui.workbench.renderers.swt.StackRenderer.showTab(StackRenderer.java:1293)
at org.eclipse.e4.ui.workbench.renderers.swt.LazyStackRenderer.lambda$0(LazyStackRenderer.java:68)
at org.eclipse.e4.ui.services.internal.events.UIEventHandler$1.run(UIEventHandler.java:40)
at org.eclipse.swt.widgets.Synchronizer.syncExec(Synchronizer.java:233)
at org.eclipse.ui.internal.UISynchronizer.syncExec(UISynchronizer.java:144)
at org.eclipse.swt.widgets.Display.syncExec(Display.java:4889)
at org.eclipse.e4.ui.internal.workbench.swt.E4Application$1.syncExec(E4Application.java:212)
at org.eclipse.e4.ui.services.internal.events.UIEventHandler.handleEvent(UIEventHandler.java:36)
at org.eclipse.equinox.internal.event.EventHandlerWrapper.handleEvent(EventHandlerWrapper.java:201)
at org.eclipse.equinox.internal.event.EventHandlerTracker.dispatchEvent(EventHandlerTracker.java:197)
at org.eclipse.equinox.internal.event.EventHandlerTracker.dispatchEvent(EventHandlerTracker.java:1)
at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)
at org.eclipse.osgi.framework.eventmgr.ListenerQueue.dispatchEventSynchronous(ListenerQueue.java:148)
at org.eclipse.equinox.internal.event.EventAdminImpl.dispatchEvent(EventAdminImpl.java:135)
at org.eclipse.equinox.internal.event.EventAdminImpl.sendEvent(EventAdminImpl.java:78)
at org.eclipse.equinox.internal.event.EventComponent.sendEvent(EventComponent.java:39)
at org.eclipse.e4.ui.services.internal.events.EventBroker.send(EventBroker.java:52)
at org.eclipse.e4.ui.internal.workbench.UIEventPublisher.notifyChanged(UIEventPublisher.java:60)
at org.eclipse.emf.common.notify.impl.BasicNotifierImpl.eNotify(BasicNotifierImpl.java:374)
at org.eclipse.e4.ui.model.application.ui.impl.ElementContainerImpl.setSelectedElement(ElementContainerImpl.java:173)
at org.eclipse.e4.ui.internal.workbench.ModelServiceImpl.showElementInWindow(ModelServiceImpl.java:620)
at org.eclipse.e4.ui.internal.workbench.ModelServiceImpl.bringToTop(ModelServiceImpl.java:584)
at org.eclipse.e4.ui.internal.workbench.PartServiceImpl.delegateBringToTop(PartServiceImpl.java:769)
at org.eclipse.e4.ui.internal.workbench.PartServiceImpl.bringToTop(PartServiceImpl.java:401)
at org.eclipse.e4.ui.internal.workbench.PartServiceImpl.showPart(PartServiceImpl.java:1188)
at org.eclipse.ui.internal.WorkbenchPage.busyOpenEditor(WorkbenchPage.java:3261)
at org.eclipse.ui.internal.WorkbenchPage.access$25(WorkbenchPage.java:3176)
at org.eclipse.ui.internal.WorkbenchPage$10.run(WorkbenchPage.java:3158)
at org.eclipse.swt.custom.BusyIndicator.showWhile(BusyIndicator.java:70)
at org.eclipse.ui.internal.WorkbenchPage.openEditor(WorkbenchPage.java:3153)
at org.eclipse.ui.internal.WorkbenchPage.openEditor(WorkbenchPage.java:3117)
at com.ixiasoft.dita.eclipse.actions.OpenWithAction.run(OpenWithAction.java:136)
at org.eclipse.jface.action.Action.runWithEvent(Action.java:473)
at org.eclipse.jface.action.ActionContributionItem.handleWidgetSelection(ActionContributionItem.java:565)
at org.eclipse.jface.action.ActionContributionItem.lambda$4(ActionContributionItem.java:397)
at org.eclipse.swt.widgets.EventTable.sendEvent(EventTable.java:86)
at org.eclipse.swt.widgets.Display.sendEvent(Display.java:4428)
at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1079)
at org.eclipse.swt.widgets.Display.runDeferredEvents(Display.java:4238)
at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:3817)
at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine$5.run(PartRenderingEngine.java:1150)
at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:336)
at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.run(PartRenderingEngine.java:1039)
at org.eclipse.e4.ui.internal.workbench.E4Workbench.createAndRunUI(E4Workbench.java:153)
at org.eclipse.ui.internal.Workbench.lambda$3(Workbench.java:680)
at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:336)
at org.eclipse.ui.internal.Workbench.createAndRunWorkbench(Workbench.java:594)
at org.eclipse.ui.PlatformUI.createAndRunWorkbench(PlatformUI.java:148)
at org.eclipse.ui.internal.ide.application.IDEApplication.start(IDEApplication.java:151)
at org.eclipse.equinox.internal.app.EclipseAppHandle.run(EclipseAppHandle.java:196)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:134)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:104)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:388)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:243)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.eclipse.equinox.launcher.Main.invokeFramework(Main.java:653)
at org.eclipse.equinox.launcher.Main.basicRun(Main.java:590)
at org.eclipse.equinox.launcher.Main.run(Main.java:1499)
Caused by: java.lang.ClassNotFoundException: An error occurred while automatically activating bundle com.oxygenxml.author (829).
at org.eclipse.osgi.internal.hooks.EclipseLazyStarter.postFindLocalClass(EclipseLazyStarter.java:112)
at org.eclipse.osgi.internal.loader.classpath.ClasspathManager.findLocalClass(ClasspathManager.java:529)
at org.eclipse.osgi.internal.loader.ModuleClassLoader.findLocalClass(ModuleClassLoader.java:328)
at org.eclipse.osgi.internal.loader.BundleLoader.findLocalClass(BundleLoader.java:368)
at org.eclipse.osgi.internal.loader.sources.SingleSourcePackage.loadClass(SingleSourcePackage.java:36)
at org.eclipse.osgi.internal.loader.BundleLoader.findClassInternal(BundleLoader.java:442)
at org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:395)
at org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:387)
at org.eclipse.osgi.internal.loader.ModuleClassLoader.loadClass(ModuleClassLoader.java:150)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at java.lang.Class.getDeclaredConstructors0(Native Method)
at java.lang.Class.privateGetDeclaredConstructors(Class.java:2671)
at java.lang.Class.getConstructor0(Class.java:3075)
at java.lang.Class.newInstance(Class.java:412)
at org.eclipse.core.internal.registry.osgi.RegistryStrategyOSGI.createExecutableExtension(RegistryStrategyOSGI.java:184)
at org.eclipse.core.internal.registry.ExtensionRegistry.createExecutableExtension(ExtensionRegistry.java:905)
at org.eclipse.core.internal.registry.ConfigurationElement.createExecutableExtension(ConfigurationElement.java:243)
at org.eclipse.core.internal.registry.ConfigurationElementHandle.createExecutableExtension(ConfigurationElementHandle.java:55)
at org.eclipse.ui.internal.WorkbenchPlugin.lambda$0(WorkbenchPlugin.java:288)
at org.eclipse.swt.custom.BusyIndicator.showWhile(BusyIndicator.java:52)
at org.eclipse.ui.internal.WorkbenchPlugin.createExtension(WorkbenchPlugin.java:285)
at org.eclipse.ui.internal.EarlyStartupRunnable.run(EarlyStartupRunnable.java:53)
at org.eclipse.core.runtime.SafeRunner.run(SafeRunner.java:42)
at org.eclipse.ui.internal.Workbench$40.run(Workbench.java:2747)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:56)
Caused by: org.osgi.framework.BundleException: Error starting module.
at org.eclipse.osgi.container.Module.doStart(Module.java:590)
at org.eclipse.osgi.container.Module.start(Module.java:449)
at org.eclipse.osgi.framework.util.SecureAction.start(SecureAction.java:468)
at org.eclipse.osgi.internal.hooks.EclipseLazyStarter.postFindLocalClass(EclipseLazyStarter.java:103)
... 24 more
Caused by: java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/Layout
at com.oxygenxml.editor.EditorPlugin.<clinit>(Unknown Source)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at java.lang.Class.newInstance(Class.java:442)
at org.eclipse.osgi.internal.framework.BundleContextImpl.loadBundleActivator(BundleContextImpl.java:763)
at org.eclipse.osgi.internal.framework.BundleContextImpl.start(BundleContextImpl.java:716)
at org.eclipse.osgi.internal.framework.EquinoxBundle.startWorker0(EquinoxBundle.java:933)
at org.eclipse.osgi.internal.framework.EquinoxBundle$EquinoxModule.startWorker(EquinoxBundle.java:309)
at org.eclipse.osgi.container.Module.doStart(Module.java:581)
... 27 more
Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.Layout cannot be found by com.oxygenxml.author_23.1.0.v2021121415
at org.eclipse.osgi.internal.loader.BundleLoader.findClassInternal(BundleLoader.java:484)
at org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:395)
at org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:387)
at org.eclipse.osgi.internal.loader.ModuleClassLoader.loadClass(ModuleClassLoader.java:150)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
... 38 more
Regards,
Shabeer
-
adrian
- Posts: 2879
- Joined: Tue May 17, 2005 4:01 pm
Re: Oxygen Author Eclipse 23.0 with log4j fix
Hello,
The error indicates the class loader cannot find classes from the log4j core jar. So Eclipse doesn’t seem to be aware of the jar change. Check the references to log4j jars from META-INF\MANIFEST.MF in the Oxygen plugin folder.
Try running Eclipse with the -clean argument.
If the problem persists, try with a new Eclipse workspace as the current one may still have some caches that indicate the original (replaced) jars.
Regards,
Adrian
The error indicates the class loader cannot find classes from the log4j core jar. So Eclipse doesn’t seem to be aware of the jar change. Check the references to log4j jars from META-INF\MANIFEST.MF in the Oxygen plugin folder.
Try running Eclipse with the -clean argument.
If the problem persists, try with a new Eclipse workspace as the current one may still have some caches that indicate the original (replaced) jars.
Regards,
Adrian
Adrian Buza
<oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger
http://www.oxygenxml.com
<oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger
http://www.oxygenxml.com
Jump to
- Oxygen XML Editor/Author/Developer
- ↳ Feature Request
- ↳ Common Problems
- ↳ DITA (Editing and Publishing DITA Content)
- ↳ SDK-API, Frameworks - Document Types
- ↳ DocBook
- ↳ TEI
- ↳ XHTML
- ↳ Other Issues
- Oxygen XML Web Author
- ↳ Feature Request
- ↳ Common Problems
- Oxygen Content Fusion
- ↳ Feature Request
- ↳ Common Problems
- Oxygen JSON Editor
- ↳ Feature Request
- ↳ Common Problems
- Oxygen PDF Chemistry
- ↳ Feature Request
- ↳ Common Problems
- Oxygen Feedback
- ↳ Feature Request
- ↳ Common Problems
- Oxygen XML WebHelp
- ↳ Feature Request
- ↳ Common Problems
- XML
- ↳ General XML Questions
- ↳ XSLT and FOP
- ↳ XML Schemas
- ↳ XQuery
- NVDL
- ↳ General NVDL Issues
- ↳ oNVDL Related Issues
- XML Services Market
- ↳ Offer a Service