hamburger menu
+ Create a topic
Solved

log4j-1.2.12.jar gets installed in Confluence when upgrading Lucidchart plugin to version 1.27.1

  • 18 April 2024
  • 8 replies
  • 144 views
K
Badge

I am running Confluence Data Center 7.19.21, and when I updated the Lucidchart plugin from version 1.27.0 to 1.27.1, the log4j-1.2.12.jar file showed up in Confluence’s plugin cache. This set off security alarms, since Log4j 1.x has been EOL since 2015: https://news.apache.org/foundation/entry/apache_logging_services_project_announces

Why is Log4j version 1.2.12 found in Lucidchart 1.27.1, and can if it is deleted, will Lucidchart continue to work?

icon

Best answer by Amelia W 18 April 2024, 23:54

View original

Comments

Amelia W
Userlevel 4
Badge +6

Hi @kent.rogers, thanks for posting in the Lucid Community! I have raised this issue with our engineers and they are looking into this issue. I will update this thread once I learn more from them, I appreciate your help and patience!

Amelia W
Userlevel 4
Badge +6

@kent.rogers, our engineers were able to take a look at this issue, and have determined Lucidchart should continue to work if you remove log4j-1.2.12.jar file. We have made a note to get this removed as we continue to make updates to our Confluence Integration. Please let me know if you run into any issues or have any further questions!

J
Badge

@kent.rogers, our engineers were able to take a look at this issue, and have determined Lucidchart should continue to work if you remove log4j-1.2.12.jar file. We have made a note to get this removed as we continue to make updates to our Confluence Integration. Please let me know if you run into any issues or have any further questions!

I have the same Confluence environment as Kent Rogers has and we have a detected issue from our Compliance department with our Confluence instance, due to the presence of this log4j-1.2.12 jar file, detected in /var/atlassian/application-data/confluence/plugins-osgi-cache/felix/felix-cache/bundle320/version0.0/bundle.jar-embedded/META-INF/lib/log4j-1.2.12.jar .     I’m assuming that just removing this jar file will take care of the issue, preferably while Confluence is stopped. 

Since Atlassian does recommend cleaning out the cache directories when plug-in issues occur, and is something we do with every stop + start of our Confluence instance, is this something that will come back again when the plug-in cache folders are re-crated on startup of Confluence? 

Atlassian’s page for plug-in cache folder clean-up is here:
https://confluence.atlassian.com/confkb/how-to-clear-confluence-plugins-cache-297664846.html

plugins-osgi-cache is one of the four folders that are re-created if not present on startup of Confluence, the log4j-1.2.12.jar would be re-created in the location listed above once the plug-in cache folders are re-created on startup.  That would mean that the log4j file would need to be removed, for our instance, every time Confluence would be started up. 

If this log4j jar file isn’t needed, can this be fixed in a future update of LucidChart? 

Amelia W
Userlevel 4
Badge +6

Hi @jwolman, thanks for adding to this thread! We have made a note to get this removed as part of our next update to our Confluence Integration. Please let me know if you run into any issues or have any further questions!

J
Badge

Hi @jwolman, thanks for adding to this thread! We have made a note to get this removed as part of our next update to our Confluence Integration. Please let me know if you run into any issues or have any further questions!

Amelia,

I see the LucidChart plug-in for Confluence to version 1.27.2, with no release notes of what’s in the update, save a two-word comment on the version page on the Atlassian Marketplace entry that says “Internal Maintenance”. 

Does this update to 1.27.2 remove this old log4j-1.2.12.jar file that came up with 1.27.1? 

Amelia W
Userlevel 4
Badge +6

Hi @jwolman, thanks for following up! To my understanding, this was a minor update made by Confluence and that the log4j-1.2.12.jar file was not removed as part of this update. Our Development teams are currently working on getting this file removed for the next update that is released on our end.

J
Badge

Hi @jwolman, thanks for following up! To my understanding, this was a minor update made by Confluence and that the log4j-1.2.12.jar file was not removed as part of this update. Our Development teams are currently working on getting this file removed for the next update that is released on our end.

Amelia, I see that 1.28.0 was released today, did the fix for the old log4j-1.2.12.jar file get incorporated into this new release or is it still pending for a future release? 

Amelia W
Userlevel 4
Badge +6

Hi @jwolman, thanks for following up on this! Yes, our engineers have confirmed that the log4j file was removed with this new version. Please let me know if you have any other questions!

Reply


Lucid Software Inc. Supplemental Community Terms

Get Started

Products

Solutions

Resources

Company

Privacy Legal Cookie privacy choices Cookie policy
©   2024  Lucid Software Inc.