[opencms-dev] OpenCms and log4j

Christoph Kukulies kuku at physik.rwth-aachen.de
Mon Dec 13 12:09:58 CET 2021


Thanks, Michael, for the recipe. Just to be sure where the java startup parameters are located
could you please point to the file in question and give an example? Is that 

/usr/share/tomcat9/bin/catalina.sh

Or should one create a setenv.sh in the above directory and put a line

JAVA_OPTS=-Dlog4j.formatMsgNoLookups=true

in there?

—
Christoph

> Am 13.12.2021 um 09:52 schrieb Michael Emmerich <m.emmerich at alkacon.com>:
> 
> Hello,
> 
> regarding the log4j security issue, the following actions should be taken:
> 
> OpenCms 10.5.x or older: Those versions still use the "old" log4j 1. Based on what is known today (Dec 13), log4j 1 is not affected by the current security issue.
> 
> OpenCms 11 or newer. Those versions of OpenCms use the critical log4j versions. Therefore the following steps should be taken:
> 
> 1) Add "-Dlog4j.formatMsgNoLookups=true"  as a Java-startup parameter
> 
> 2) Replace the currently used log4j jars
> 
> log4j-api-2.10.0.jar
> log4j-core-2.10.0.jar
> log4j-jcl-2.10.0.jar
> log4j-slf4j-impl-2.10.0.jar
> 
> with the most recent ones from https://logging.apache.org/log4j/2.x/download.html
> 
> log4j-api-2.15.0.jar
> log4j-core-2.15.0.jar
> log4j-jcl-2.15.0.jar
> log4j-slf4j-impl-2.15.0.jar
> 
> We will provide an updated OpenCms version with the new log4j libs.
> 
> Kind regards,
> 
> Michael
> 
> 
> -- 
> Kind Regards
> Michael.
> -------------------
> Michael Emmerich
> Alkacon Software GmbH & Co. KG - The OpenCms Experts
> http://www.alkacon.com - http://www.opencms.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opencms.org/pipermail/opencms-dev/attachments/20211213/fdb8324b/attachment.htm>


More information about the opencms-dev mailing list