[JENKINS-67950] Log4jHotPatch signer error

Type: Bug
Resolution: Fixed
Priority: Minor
Component/s: core
Labels:
None
Environment:

Hide
Jenkins: 2.337
OS: Linux - 4.14.262-200.489.amzn2.x86_64
---
ace-editor:1.1
amazon-ecr:1.7
antisamy-markup-formatter:2.7
apache-httpcomponents-client-4-api:4.5.13-1.0
authentication-tokens:1.4
authorize-project:1.4.0
aws-credentials:189.v3551d5642995
aws-java-sdk-ec2:1.12.163-315.v2b_716ec8e4df
aws-java-sdk-ecr:1.12.163-315.v2b_716ec8e4df
aws-java-sdk-minimal:1.12.163-315.v2b_716ec8e4df
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.3-6
bouncycastle-api:2.25
branch-api:2.7.0
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
cloudbees-folder:6.708.ve61636eb_65a_5
command-launcher:1.6
conditional-buildstep:1.4.1
configuration-as-code:1414.v878271fc496f
credentials:1074.v60e6c29b_b_44b_
credentials-binding:1.27.1
display-url-api:2.3.5
docker-commons:1.19
docker-java-api:3.1.5.2
docker-plugin:1.2.6
docker-workflow:1.28
durable-task:493.v195aefbb0ff2
echarts-api:5.3.0-2
font-awesome-api:6.0.0-1
git:4.10.3
git-client:3.11.0
git-parameter:0.9.15
git-server:1.10
handlebars:3.0.8
jackson2-api:2.13.1-246.va8a9f3eaf46a
javadoc:217.v905b_86277a_2a_
javax-activation-api:1.2.0-2
javax-mail-api:1.6.2-5
jdk-tool:1.5
job-dsl:1.78.3
jquery:1.12.4-1
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.55
lockable-resources:2.14
mailer:408.vd726a_1130320
matrix-auth:2.6.11
matrix-project:1.20
maven-plugin:3.18
momentjs:1.1.1
pipeline-build-step:2.16
pipeline-graph-analysis:188.v3a01e7973f2c
pipeline-input-step:446.vf27b_0b_83500e
pipeline-milestone-step:100.v60a_03cd446e1
pipeline-model-api:2.2064.v5eef7d0982b_e
pipeline-model-definition:2.2064.v5eef7d0982b_e
pipeline-model-extensions:2.2064.v5eef7d0982b_e
pipeline-rest-api:2.23
pipeline-stage-step:291.vf0a8a7aeeb50
pipeline-stage-tags-metadata:2.2064.v5eef7d0982b_e
pipeline-stage-view:2.23
pipeline-utility-steps:2.12.0
plain-credentials:1.8
plugin-util-api:2.14.0
popper-api:1.16.1-2
popper2-api:2.11.2-1
role-strategy:3.2.0
run-condition:1.5
saml:2.1.1-275.va_5718591a_999
scm-api:595.vd5a_df5eb_0e39
script-security:1140.vf967fb_efa_55a_
snakeyaml-api:1.29.1
ssh-credentials:1.19
ssh-slaves:1.33.1-805.vb_a_0d6a_21f322
sshd:3.1.0
structs:308.v852b473a2b8c
token-macro:280.v97a_82642793c
trilead-api:1.0.13
variant:1.4
workflow-aggregator:2.7
workflow-api:1138.v619fd5201b_2f
workflow-basic-steps:941.vdfe1b_a_132c64
workflow-cps:2660.vb_c0412dc4e6d
workflow-cps-global-lib:564.ve62a_4eb_b_e039
workflow-durable-task-step:1121.va_65b_d2701486
workflow-job:1174.vdcb_d054cf74a_
workflow-multibranch:711.vdfef37cda_816
workflow-scm-step:2.13
workflow-step-api:622.vb_8e7c15b_c95a_
workflow-support:815.vd60466279fc8

Show
Jenkins: 2.337 OS: Linux - 4.14.262-200.489.amzn2.x86_64 --- ace-editor:1.1 amazon-ecr:1.7 antisamy-markup-formatter:2.7 apache-httpcomponents-client-4-api:4.5.13-1.0 authentication-tokens:1.4 authorize-project:1.4.0 aws-credentials:189.v3551d5642995 aws-java-sdk-ec2:1.12.163-315.v2b_716ec8e4df aws-java-sdk-ecr:1.12.163-315.v2b_716ec8e4df aws-java-sdk-minimal:1.12.163-315.v2b_716ec8e4df bootstrap4-api:4.6.0-3 bootstrap5-api:5.1.3-6 bouncycastle-api:2.25 branch-api:2.7.0 caffeine-api:2.9.2-29.v717aac953ff3 checks-api:1.7.2 cloudbees-folder:6.708.ve61636eb_65a_5 command-launcher:1.6 conditional-buildstep:1.4.1 configuration-as-code:1414.v878271fc496f credentials:1074.v60e6c29b_b_44b_ credentials-binding:1.27.1 display-url-api:2.3.5 docker-commons:1.19 docker-java-api:3.1.5.2 docker-plugin:1.2.6 docker-workflow:1.28 durable-task:493.v195aefbb0ff2 echarts-api:5.3.0-2 font-awesome-api:6.0.0-1 git:4.10.3 git-client:3.11.0 git-parameter:0.9.15 git-server:1.10 handlebars:3.0.8 jackson2-api:2.13.1-246.va8a9f3eaf46a javadoc:217.v905b_86277a_2a_ javax-activation-api:1.2.0-2 javax-mail-api:1.6.2-5 jdk-tool:1.5 job-dsl:1.78.3 jquery:1.12.4-1 jquery3-api:3.6.0-2 jsch:0.1.55.2 junit:1.55 lockable-resources:2.14 mailer:408.vd726a_1130320 matrix-auth:2.6.11 matrix-project:1.20 maven-plugin:3.18 momentjs:1.1.1 pipeline-build-step:2.16 pipeline-graph-analysis:188.v3a01e7973f2c pipeline-input-step:446.vf27b_0b_83500e pipeline-milestone-step:100.v60a_03cd446e1 pipeline-model-api:2.2064.v5eef7d0982b_e pipeline-model-definition:2.2064.v5eef7d0982b_e pipeline-model-extensions:2.2064.v5eef7d0982b_e pipeline-rest-api:2.23 pipeline-stage-step:291.vf0a8a7aeeb50 pipeline-stage-tags-metadata:2.2064.v5eef7d0982b_e pipeline-stage-view:2.23 pipeline-utility-steps:2.12.0 plain-credentials:1.8 plugin-util-api:2.14.0 popper-api:1.16.1-2 popper2-api:2.11.2-1 role-strategy:3.2.0 run-condition:1.5 saml:2.1.1-275.va_5718591a_999 scm-api:595.vd5a_df5eb_0e39 script-security:1140.vf967fb_efa_55a_ snakeyaml-api:1.29.1 ssh-credentials:1.19 ssh-slaves:1.33.1-805.vb_a_0d6a_21f322 sshd:3.1.0 structs:308.v852b473a2b8c token-macro:280.v97a_82642793c trilead-api:1.0.13 variant:1.4 workflow-aggregator:2.7 workflow-api:1138.v619fd5201b_2f workflow-basic-steps:941.vdfe1b_a_132c64 workflow-cps:2660.vb_c0412dc4e6d workflow-cps-global-lib:564.ve62a_4eb_b_e039 workflow-durable-task-step:1121.va_65b_d2701486 workflow-job:1174.vdcb_d054cf74a_ workflow-multibranch:711.vdfef37cda_816 workflow-scm-step:2.13 workflow-step-api:622.vb_8e7c15b_c95a_ workflow-support:815.vd60466279fc8

Similar Issues:
Powered by SuggestiMate

Show
Released As:
2.358

I see the following error message in the Jenkins logs:

java.lang.SecurityException: class "Log4jHotPatch"'s signer information does not match signer information of other classes in the same packagejava.lang.SecurityException: class "Log4jHotPatch"'s signer information does not match signer information of other classes in the same package at java.lang.ClassLoader.checkCerts(ClassLoader.java:891) at java.lang.ClassLoader.preDefineClass(ClassLoader.java:661) at java.lang.ClassLoader.defineClass(ClassLoader.java:754) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) at java.net.URLClassLoader.defineClass(URLClassLoader.java:473) at java.net.URLClassLoader.access$100(URLClassLoader.java:74) at java.net.URLClassLoader$1.run(URLClassLoader.java:369) at java.net.URLClassLoader$1.run(URLClassLoader.java:363) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:362) at java.lang.ClassLoader.loadClass(ClassLoader.java:418) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:352) at java.lang.ClassLoader.loadClass(ClassLoader.java:351) at sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:304) at sun.instrument.InstrumentationImpl.loadClassAndCallAgentmain(InstrumentationImpl.java:411)

I have seen this on version 2.337 and 2.332. On the 2.337 server the Jenkins logs are going to /var/log/messages and not to /var/log/jenkins/

This does not stop the server being built or operating.

relates to

JENKINS-67900 ERROR: Error fetching remote repo 'origin' when creating a new pipeline with changes to the parameters values if one parameter is PATH

Open

links to

corretto/hotpatch-for-apache-log4j2#53

Kalle Niemitalo added a comment - 2022-03-04 14:38

These Log4jHotPatch errors were seen in JENKINS-67900 as well, but they apparently were not the cause of the PATH problem that was reported there.

Kalle Niemitalo added a comment - 2022-03-04 14:38 These Log4jHotPatch errors were seen in JENKINS-67900 as well, but they apparently were not the cause of the PATH problem that was reported there.

Kalle Niemitalo added a comment - 2022-03-04 14:53

AWS announced Log4jHotPatch in Hotpatch for Apache Log4j (2021-12-12). Amazon Linux Hotpatch Announcement for Apache Log4j (2021-12-14) says JDKs in Amazon Linux install Log4jHotPatch automatically, and describes how to disable it if necessary.

I don't know how to make Log4jHotPatch actually work with Jenkins.

Kalle Niemitalo added a comment - 2022-03-04 14:53 AWS announced Log4jHotPatch in Hotpatch for Apache Log4j (2021-12-12). Amazon Linux Hotpatch Announcement for Apache Log4j (2021-12-14) says JDKs in Amazon Linux install Log4jHotPatch automatically, and describes how to disable it if necessary. I don't know how to make Log4jHotPatch actually work with Jenkins.

Basil Crow added a comment - 2022-03-04 21:07

Can be reproduced locally by building Log4jHotPatch.jar and running java -Dlog4jFixerVerbose=true -cp Log4jHotPatch.jar Log4jHotPatch ${JENKINS_PID}.

Basil Crow added a comment - 2022-03-04 21:07 Can be reproduced locally by building Log4jHotPatch.jar and running java -Dlog4jFixerVerbose=true -cp Log4jHotPatch.jar Log4jHotPatch ${JENKINS_PID }.

Basil Crow added a comment - 2022-03-04 21:56

Stepping through the problematic frames in the debugger, I do not think Jenkins is at fault here. Jenkins contains some classes in the unnamed package namespace:

$ jar tf jenkins.war
[…]
ColorFormatter.class
JNLPMain.class
LogFileOutputStream$1.class
LogFileOutputStream.class
Main$FileAndDescription.class
Main.class
MainDialog.class
[…]
META-INF/JENKINS.RSA
META-INF/JENKINS.SF
META-INF/MANIFEST.MF
[…]
$

Note that META-INF/JENKINS.RSA and META-INF/JENKINS.SF are only present in our signed official releases; a local build will not contain these. The presence of these classes and signatures means that the system class loader associates the signatures with the unnamed package namespace. Then, when Log4jHotPatch attempts to load a class into the same unnamed package namespace without a signature, class loading fails.

I do not think Log4jHotPatch should make any assumptions about whether or not it is free to load unsigned classes into the unnamed package namespace. Perhaps Log4jHotPatch should use its own package namespace instead. I filed corretto/hotpatch-for-apache-log4j2#53 to track this.

Basil Crow added a comment - 2022-03-04 21:56 Stepping through the problematic frames in the debugger, I do not think Jenkins is at fault here. Jenkins contains some classes in the unnamed package namespace : $ jar tf jenkins.war […] ColorFormatter.class JNLPMain.class LogFileOutputStream$1.class LogFileOutputStream.class Main$FileAndDescription.class Main.class MainDialog.class […] META-INF/JENKINS.RSA META-INF/JENKINS.SF META-INF/MANIFEST.MF […] $ Note that META-INF/JENKINS.RSA and META-INF/JENKINS.SF are only present in our signed official releases; a local build will not contain these. The presence of these classes and signatures means that the system class loader associates the signatures with the unnamed package namespace. Then, when Log4jHotPatch attempts to load a class into the same unnamed package namespace without a signature, class loading fails. I do not think Log4jHotPatch should make any assumptions about whether or not it is free to load unsigned classes into the unnamed package namespace. Perhaps Log4jHotPatch should use its own package namespace instead. I filed corretto/hotpatch-for-apache-log4j2#53 to track this.

Dave added a comment - 2022-03-07 08:25

Thanks for all the comments so far.

Here is the Java version of the EC2 instance that has this issue:

java -version
openjdk version "1.8.0_312"
OpenJDK Runtime Environment (build 1.8.0_312-b07)
OpenJDK 64-Bit Server VM (build 25.312-b07, mixed mode)

Dave added a comment - 2022-03-07 08:25 Thanks for all the comments so far. Here is the Java version of the EC2 instance that has this issue: java -version openjdk version "1.8.0_312" OpenJDK Runtime Environment (build 1.8.0_312-b07) OpenJDK 64-Bit Server VM (build 25.312-b07, mixed mode)

Dave added a comment - 2022-03-07 08:26

Is it likely that this error does not affect the running of Jenkins?

Dave added a comment - 2022-03-07 08:26 Is it likely that this error does not affect the running of Jenkins?

Basil Crow added a comment - 2022-03-07 15:33

Is it likely that this error does not affect the running of Jenkins?

This error does not affect the running of Jenkins.

Basil Crow added a comment - 2022-03-07 15:33 Is it likely that this error does not affect the running of Jenkins? This error does not affect the running of Jenkins.

Dave added a comment - 2022-03-08 15:16

Thanks Basil.

Dave added a comment - 2022-03-08 15:16 Thanks Basil.

Basil Crow added a comment - 2022-07-06 17:39

We added a workaround for this upstream issue in 2.358.

Basil Crow added a comment - 2022-07-06 17:39 We added a workaround for this upstream issue in 2.358.

Assignee:: Unassigned

Reporter:: Dave

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2022-03-04 11:32

Updated:: 2022-07-06 17:39

Resolved:: 2022-07-06 17:39

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Kalle Niemitalo added a comment - 2022-03-04 14:38

Expand comment: Kalle Niemitalo added a comment - 2022-03-04 14:38

Collapse comment: Kalle Niemitalo added a comment - 2022-03-04 14:53

Expand comment: Kalle Niemitalo added a comment - 2022-03-04 14:53

Collapse comment: Basil Crow added a comment - 2022-03-04 21:07

Expand comment: Basil Crow added a comment - 2022-03-04 21:07

Collapse comment: Basil Crow added a comment - 2022-03-04 21:56

Expand comment: Basil Crow added a comment - 2022-03-04 21:56

Collapse comment: Dave added a comment - 2022-03-07 08:25

Expand comment: Dave added a comment - 2022-03-07 08:25

Collapse comment: Dave added a comment - 2022-03-07 08:26

Expand comment: Dave added a comment - 2022-03-07 08:26

Collapse comment: Basil Crow added a comment - 2022-03-07 15:33

Expand comment: Basil Crow added a comment - 2022-03-07 15:33

Collapse comment: Dave added a comment - 2022-03-08 15:16

Expand comment: Dave added a comment - 2022-03-08 15:16

Collapse comment: Basil Crow added a comment - 2022-07-06 17:39

Expand comment: Basil Crow added a comment - 2022-07-06 17:39

People

Dates