[opencms-dev] OpenCms and log4j
Michael Emmerich
m.emmerich at alkacon.com
Mon Dec 13 09:52:06 CET 2021
Hello,
regarding the log4j security issue, the following actions should be taken:
OpenCms 10.5.x or older: Those versions still use the "old" log4j 1.
Based on what is known today (Dec 13), log4j 1 is not affected by the
current security issue.
OpenCms 11 or newer. Those versions of OpenCms use the critical log4j
versions. Therefore the following steps should be taken:
1) Add "-Dlog4j.formatMsgNoLookups=true" as a Java-startup parameter
2) Replace the currently used log4j jars
log4j-api-2.10.0.jar
log4j-core-2.10.0.jar
log4j-jcl-2.10.0.jar
log4j-slf4j-impl-2.10.0.jar
with the most recent ones from
https://logging.apache.org/log4j/2.x/download.html
log4j-api-2.15.0.jar
log4j-core-2.15.0.jar
log4j-jcl-2.15.0.jar
log4j-slf4j-impl-2.15.0.jar
We will provide an updated OpenCms version with the new log4j libs.
Kind regards,
Michael
--
Kind Regards
Michael.
-------------------
Michael Emmerich
Alkacon Software GmbH & Co. KG - The OpenCms Experts
http://www.alkacon.com - http://www.opencms.org
More information about the opencms-dev
mailing list