all InfoSec news
Lots of debug log is written after commons-logging is upgraded to 1.3.0
DEV Community dev.to
Background
The default log level of our applications is DEBUG because we aim to separate informative logs from diagnostic logs.
Recently, we received a vulnerability warning from commons-configuration2, prompting us to update the version. After the update, the application runs fine; however, the size of our log has grown from hundreds of kilobytes to a few gigabytes.
Investigation
The update of commons-configuration2 also upgraded commons-logging to version 1.3.0, which includes log4j-jcl. Previously, log4j-jcl was a standalone dependency. Now, all dependencies …
1.3.0 aim application applications commons debug default informative java log log4j logging logs size update version vulnerability warning written