reload4j project

Initiated by Ceki Gülcü, the original author of Apache log4j 1.x, the reload4j project is a fork of Apache log4j version 1.2.17 with the goal of fixing pressing security issues. It is intended as a drop-in replacement for log4j version 1.2.17. By drop-in, we mean the replacement of log4j.jar with reload4j.jar in your build with no source code changes in .java files being necessary.

With release 1.2.18.1 (see below), the reload4j project offers a clear and easy migration path for the thousands of users who have an urgent need to fix vulnerabilities in log4j 1.2.17.

Goals

As mentioned above, the reload4j project aims to fix the most urgent issues in log4j 1.2.17. In the short term, this will be accomplished by the following steps:

In the absence of a robust and well tested countermeasure, JDBCAppender has been removed to prevent SQL injection attacks. We have a proposed countermeasure which may yet salvage JDBCAppender. See PR 26.

As both log4j 1.x and reload4j do not offer a message lookup mechanism, they did not suffer from the notorious log4shell vulnerability.

Latest release 1.2.18.1

Version 1.2.18.1 was released on 2022-01-19. It can be found in Maven central under the following coordinates:

ch.qos.reload4j:reload4j:1.2.18.1

Reload4j was built using Java 8 but targets Java 1.5.

The unit tests were updated but no actual code was changed except for the removal of NTEventAppender and the correction of the aforementioned issues, including the CVEs.

The SLF4J project has released version 1.7.33 containing the slf4j-reload4j module which supports reload4j.

Project roadmap

We do not expect to add new features to reload4j. However, it will see maintenance releases for the foreseeable future.

Source code repository

Source code is available on github under the qos-ch/reload4j repository which was forked from apache/logging-log4j1.

Keys

All reload4j artifacts published on Maven central are signed. For each artifact, there is an associated signature file with the .asc suffix.

To verify the signature use this public key. Here is its fingerprint:

pub   2048R/A511E325 2012-04-26
Key fingerprint = 475F 3B8E 59E6 E63A A780  6748 2C7B 12F2 A511 E325
uid   Ceki Gulcu <ceki@qos.ch>

Building

Reload4j builds with Maven and targets Java 1.5. You need to launch Maven under Java 8 or alternatively configure Maven Toolchains for Java 8.

A sample toolchains configuration can be found in .github/workflows/toolchains.xml.

Bug reporting using Github issues page

You can browse issues at our github issues page. All steps undertaken in the project are first published/discussed on the reload4j mailing list or on the aforementoined issues page.

Mailing list

Name Traffic Subscribe Unsubscribe Archives
reload4j mailing list Low Subscribe Unsubscribe qos.ch

Projects using reload4j

Do let us know if you are using reload4j.

Why not revive log4j 1.x within the Apache Software Foundation?

The reload4j project aims to fix the most urgent issues in log4j 1.2.17 which hasn't seen a new release since 2012. Note that on 2022-01-06 the Apache Logging PMC formally voted to reaffirm the EOL (End of Life) status of log4j 1.x. Despite our best efforts it was therefore impossible to revive the log4j 1.x project within the Apache Software Foundation.

Donations and sponsorship

You can also support SLF4J/logback/reload4j projects via donations and sponsorship. We thank our current supporters and sponsors for their continued contributions.