Note: On August 5, 2015 the Logging Services Project Management Committee announced that Log4j 1.x had reached end of life. / Log4j version 1 is no longer supported ... but I'm still investigating log4j-1.2.
originally
log4j-1.2.8
On an application that was only there
log4j-1.2.12
Something is wrong with the inclusion of.
The log appears twice. And unintentionally go out to System Out ...
This is a memo about these two points.
First of all, it is this area that seems to be related to the point that it appears twice. ʻAdditivity`
About Log4j's Logger hierarchy and additivity behavior
Additivity is set to true by default, that is children inherit the appenders of their ancestors by default. Additivity is set to true by default, and children inherit their ancestor appenders by default.
For SystemOut, the following is suspicious when looking at log4j change history.
Quote.
--1.2.12 TRACE level introduced, ConsoleAppender modified to follow redirection of System.out The TRACE level has been introduced and ConsoleAppender has been modified to follow System.out redirects.
--1.2.13 TRACE level missing info fixed, ConsoleAppender.follow added to make redirection following an optional behavior. Correct TRACE level missing information, add ConsoleAppender.follow to redirect after any action Did.
-log4j version 1.2.13 Bug # 37122: Console appender now behaves as before to fix compatibility problem with JBoss introduced in 1.2.12 release due to fix for bug 31056. Can still be configured to detect changes in the System.out and System.err streams as needed by setting the follow property. ConsoleAppender is due to bug 31056 fixed. To fix a compatibility issue with JBoss introduced in the .12 release, it now works as before. You can now set the following properties to detect changes in the System.out and System.err streams as needed.
The behavior of ConsoleAppender still seems to have changed. [^ 1]
As long as you try 1.2.17 here, the behavior returns to the same as 1.2.8.
API/ABI changes review for log4j
I will write down what I have investigated so far to see if it is okay to raise it to 1.2.17 for business purposes. Also, Log4j seems to have a vulnerability related to unreliable data deserialization, but it is applicable. It didn't seem to be done, so make a note of it.