[opencms-dev] Security issue in log4j

Robert Velter robert.velter at take3.ro
Mon Dec 13 09:26:50 CET 2021


This mitigation is valuable, but the official download opencms-12.0.zip 
contains the vulnerable version 2.13.3 and there is no security
advisory on the website.

Just my 2 cents.

Regards, Robert

On Mon, 2021-12-13 at 02:18 +0100, Alessandro Magnolo wrote:
> OpenCms 10 uses log4j 1.x, so it is not affected:
> https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
> 
> OpenCms 11 onward default installation is exposed and must be
> properly
> checked against the vulnerability; Jan Michael's workaround should
> fix
> the issue.
> 
> If you log any user input to log4j in your jsp content pages, you're
> at risk, check this out: https://log4shell.huntress.com/
> 
> regards,
> Alessandro Magnolo
> 
> On Sat, 11 Dec 2021 at 10:34, Jan Michael Greiner <
> jan0michael at yahoo.com> wrote:
> > Hello all,
> > 
> > I just read about the zero day exploit in log4j
> > 
> > https://www.heise.de/news/Kritische-Zero-Day-Luecke-in-log4j-gefaehrdet-zahlreiche-Server-und-Apps-6291653.html
> > 
> > 
> > I have no idea, if OpenCms is affected by this.
> > But to be on the save side, I did
> > 
> > zip -q -d [path-on-my-server]/www/opencms/WEB-INF/lib/log4j-core-
> > 2.13.3.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
> > 
> > service tomcat9 restart
> > 
> > 
> > 
> > To have a look in the .jar file, you can do before and after the
> > above operation
> > 
> > unzip -l [path-on-my-server]/www/opencms/WEB-INF/lib/log4j-core-
> > 2.13.3.jar|grep -i jndi
> > 
> > 
> > Best regards,
> > 
> > Jan Michael Greiner
> > _______________________________________________
> > This mail is sent to you from the opencms-dev mailing list
> > To change your list options, or to unsubscribe from the list,
> > please visit
> > https://lists.opencms.org/mailman/listinfo/opencms-dev
> > 
> > 
> > 
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please
> visit
> https://lists.opencms.org/mailman/listinfo/opencms-dev
> 
> 
> 
-- 
Robert Velter <robert.velter at take3.ro>
Președinte - Asociaţia TAKE3


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opencms.org/pipermail/opencms-dev/attachments/20211213/97934beb/attachment.sig>


More information about the opencms-dev mailing list