[opencms-dev] Security issue in log4j
Alessandro Magnolo
alessandro.magnolo at gmail.com
Mon Dec 13 02:18:37 CET 2021
OpenCms 10 uses log4j 1.x, so it is not affected:
https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
OpenCms 11 onward default installation is exposed and must be properly
checked against the vulnerability; Jan Michael's workaround should fix
the issue.
If you log any user input to log4j in your jsp content pages, you're
at risk, check this out: https://log4shell.huntress.com/
regards,
Alessandro Magnolo
On Sat, 11 Dec 2021 at 10:34, Jan Michael Greiner <jan0michael at yahoo.com> wrote:
>
> Hello all,
>
> I just read about the zero day exploit in log4j
>
> https://www.heise.de/news/Kritische-Zero-Day-Luecke-in-log4j-gefaehrdet-zahlreiche-Server-und-Apps-6291653.html
>
>
> I have no idea, if OpenCms is affected by this.
> But to be on the save side, I did
>
> zip -q -d [path-on-my-server]/www/opencms/WEB-INF/lib/log4j-core-2.13.3.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
>
> service tomcat9 restart
>
>
>
> To have a look in the .jar file, you can do before and after the above operation
>
> unzip -l [path-on-my-server]/www/opencms/WEB-INF/lib/log4j-core-2.13.3.jar|grep -i jndi
>
>
> Best regards,
>
> Jan Michael Greiner
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> https://lists.opencms.org/mailman/listinfo/opencms-dev
>
>
>
More information about the opencms-dev
mailing list