Solved

log4j-1.2.12.jar gets installed in Confluence when upgrading Lucidchart plugin to version 1.27.1

  • 18 April 2024
  • 4 replies
  • 59 views

Badge

I am running Confluence Data Center 7.19.21, and when I updated the Lucidchart plugin from version 1.27.0 to 1.27.1, the log4j-1.2.12.jar file showed up in Confluence’s plugin cache. This set off security alarms, since Log4j 1.x has been EOL since 2015: https://news.apache.org/foundation/entry/apache_logging_services_project_announces

Why is Log4j version 1.2.12 found in Lucidchart 1.27.1, and can if it is deleted, will Lucidchart continue to work?

icon

Best answer by Amelia W 18 April 2024, 23:54

View original

Comments

Userlevel 4
Badge +6

Hi @kent.rogers, thanks for posting in the Lucid Community! I have raised this issue with our engineers and they are looking into this issue. I will update this thread once I learn more from them, I appreciate your help and patience!

Userlevel 4
Badge +6

@kent.rogers, our engineers were able to take a look at this issue, and have determined Lucidchart should continue to work if you remove log4j-1.2.12.jar file. We have made a note to get this removed as we continue to make updates to our Confluence Integration. Please let me know if you run into any issues or have any further questions!

Badge

@kent.rogers, our engineers were able to take a look at this issue, and have determined Lucidchart should continue to work if you remove log4j-1.2.12.jar file. We have made a note to get this removed as we continue to make updates to our Confluence Integration. Please let me know if you run into any issues or have any further questions!

I have the same Confluence environment as Kent Rogers has and we have a detected issue from our Compliance department with our Confluence instance, due to the presence of this log4j-1.2.12 jar file, detected in /var/atlassian/application-data/confluence/plugins-osgi-cache/felix/felix-cache/bundle320/version0.0/bundle.jar-embedded/META-INF/lib/log4j-1.2.12.jar .     I’m assuming that just removing this jar file will take care of the issue, preferably while Confluence is stopped. 

Since Atlassian does recommend cleaning out the cache directories when plug-in issues occur, and is something we do with every stop + start of our Confluence instance, is this something that will come back again when the plug-in cache folders are re-crated on startup of Confluence? 

Atlassian’s page for plug-in cache folder clean-up is here:
https://confluence.atlassian.com/confkb/how-to-clear-confluence-plugins-cache-297664846.html

plugins-osgi-cache is one of the four folders that are re-created if not present on startup of Confluence, the log4j-1.2.12.jar would be re-created in the location listed above once the plug-in cache folders are re-created on startup.  That would mean that the log4j file would need to be removed, for our instance, every time Confluence would be started up. 

If this log4j jar file isn’t needed, can this be fixed in a future update of LucidChart? 

Userlevel 4
Badge +6

Hi @jwolman, thanks for adding to this thread! We have made a note to get this removed as part of our next update to our Confluence Integration. Please let me know if you run into any issues or have any further questions!

Reply