It appears to me that a deprecated version of Log4J is still in use in GATE-embedded, apparently by a class named `CreoleRegisterImpl.java`. I'm writing a GATE driver (in Java) for use by other micro-services on our AWS EC2 platforms (running Rocky Linux). I'm striving to do as little Java development as possible.

I have had to add a `log4j.properties` file in order to silence complaints -- note the filename. Current versions of log4j ("log4j2") expect to find `log4j2.properties`. Our stack currently specifies v2.20.0 in `pom.xml` for our Java GATE driver.

I don't know enough about the Java technology stack to know whether or how to address this. I do know that in the log files from our own log4j2 usage, I see log entries from `CreoleRegisterImpl.java`. Here are some examples:

```
``` 

I invite guidance about how to best ensure that our use of GATE does not expose our server(s) to the serious zero-day vulnerabilities widely publicized about the now-deprecated older versions of `log4j`. I'm the only developer on this project, and so I'm looking for an approach that requires as little Java/Maven expertise as possible.

Thanks,
Tom S.

It appears to me that a deprecated version of Log4J is still in use in GATE-embedded, apparently by a class named `CreoleRegisterImpl.java`. I'm writing a GATE driver (in Java) for use by other micro-services on our AWS EC2 platforms (running Rocky Linux). I'm striving to do as little Java development as possible.

I have had to add a `log4j.properties` file in order to silence complaints -- note the filename. Current versions of log4j ("log4j2") expect to find `log4j2.properties`. Our stack currently specifies v2.20.0 in `pom.xml` for our Java GATE driver.

I don't know enough about the Java technology stack to know whether or how to address this. I do know that in the log files from our own log4j2 usage, I see log entries from `CreoleRegisterImpl.java`. Here are some examples:

```

INFO  (CreoleRegisterImpl.java:342) - CREOLE plugin loaded: creole ...

INFO  (CreoleRegisterImpl.java:201) - CREOLE plugin loaded: ANNIE 8.5 ...

``` 

I invite guidance about how to best ensure that our use of GATE does not expose our server(s) to the serious zero-day vulnerabilities widely publicized about the now-deprecated older versions of `log4j`. I'm the only developer on this project, and so I'm looking for an approach that requires as little Java/Maven expertise as possible.

Thanks,
Tom S.

-- 
Ian Roberts                | Department of Computer Science
i.roberts@...  | University of Sheffield, UK

Which version of gate-core do you depend on? 

My "dependencies" in 'pom.xml' look like:


I think that means that I depend on v8.6.1 of gate.core.

Which version of gate-core do you depend on? 

My "dependencies" in 'pom.xml' look like:

  <dependencies>

    <dependency>

      <groupId>junit</groupId>

      <artifactId>junit</artifactId>

      <version>3.8.1</version>

      <scope>test</scope>

    </dependency>

    <dependency>

      <groupId>uk.ac.gate</groupId>

      <artifactId>gate-core</artifactId>

      <version>8.6.1</version>

      <scope>compile</scope>

    </dependency>

    <dependency>

      <groupId>org.json</groupId>

      <artifactId>json</artifactId>

        <version>20180130</version>

        <scope>compile</scope>

    </dependency>

    <dependency>

      <groupId>org.apache.logging.log4j</groupId>

      <artifactId>log4j-core</artifactId>

        <version>2.20.0</version>

        <scope>compile</scope>

    </dependency>

    <dependency>

      <groupId>org.apache.logging.log4j</groupId>

      <artifactId>log4j-api</artifactId>

        <version>2.20.0</version>

        <scope>compile</scope>

    </dependency>

  </dependencies>

I think that means that I depend on v8.6.1 of gate.core.

-- 
Ian Roberts                | Department of Computer Science
i.roberts@...  | University of Sheffield, UK

I could have sworn we'd made the switch before 8.6.1 but apparently not, you'll need to upgrade your gate-core dependency to 9.0.1.

But you should probably also consider updating the app you're running to use newer plugins - I noticed in your original message it was loading ANNIE 8.5, where the latest version now is 9.1.  Exactly how you achieve that depends how you're loading your GATE components; if you're loading an xgapp using the PersistenceManager then you should be able to use the upgrade tool in GATE Developer to bring the plugin references up to date.

Ian

On 31/03/2023 15:55, SomervilleTom via groups.io wrote:

Which version of gate-core do you depend on? 

My "dependencies" in 'pom.xml' look like:

  <dependencies>

    <dependency>

      <groupId>junit</groupId>

      <artifactId>junit</artifactId>

      <version>3.8.1</version>

      <scope>test</scope>

    </dependency>

    <dependency>

      <groupId>uk.ac.gate</groupId>

      <artifactId>gate-core</artifactId>

      <version>8.6.1</version>

      <scope>compile</scope>

    </dependency>

    <dependency>

      <groupId>org.json</groupId>

      <artifactId>json</artifactId>

        <version>20180130</version>

        <scope>compile</scope>

    </dependency>

    <dependency>

      <groupId>org.apache.logging.log4j</groupId>

      <artifactId>log4j-core</artifactId>

        <version>2.20.0</version>

        <scope>compile</scope>

    </dependency>

    <dependency>

      <groupId>org.apache.logging.log4j</groupId>

      <artifactId>log4j-api</artifactId>

        <version>2.20.0</version>

        <scope>compile</scope>

    </dependency>

  </dependencies>

I think that means that I depend on v8.6.1 of gate.core.

-- 
Ian Roberts                | Department of Computer Science
i.roberts@...  | University of Sheffield, UK

-- 
Ian Roberts                | Department of Computer Science
i.roberts@...  | University of Sheffield, UK

Actually it's not quite that simple - try this:

This worked perfectly, thank you!

I changed my test harness to use v9.1 of Annie and all is working fine.

I REALLY appreciate your prompt and effective assistance.