[opencms-dev] OpenCms and log4j
Ramon Gavira
rgaviras at gmail.com
Mon Dec 13 12:18:51 CET 2021
Hello Micheal, it seems that it affects "Old Versions"... look:
https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
Is this right?
El lun, 13 dic 2021 a las 9:52, Michael Emmerich (<m.emmerich at alkacon.com>)
escribió:
> Hello,
>
> regarding the log4j security issue, the following actions should be taken:
>
> OpenCms 10.5.x or older: Those versions still use the "old" log4j 1.
> Based on what is known today (Dec 13), log4j 1 is not affected by the
> current security issue.
>
> OpenCms 11 or newer. Those versions of OpenCms use the critical log4j
> versions. Therefore the following steps should be taken:
>
> 1) Add "-Dlog4j.formatMsgNoLookups=true" as a Java-startup parameter
>
> 2) Replace the currently used log4j jars
>
> log4j-api-2.10.0.jar
> log4j-core-2.10.0.jar
> log4j-jcl-2.10.0.jar
> log4j-slf4j-impl-2.10.0.jar
>
> with the most recent ones from
> https://logging.apache.org/log4j/2.x/download.html
>
> log4j-api-2.15.0.jar
> log4j-core-2.15.0.jar
> log4j-jcl-2.15.0.jar
> log4j-slf4j-impl-2.15.0.jar
>
> We will provide an updated OpenCms version with the new log4j libs.
>
> Kind regards,
>
> Michael
>
>
> --
> Kind Regards
> Michael.
> -------------------
> Michael Emmerich
> Alkacon Software GmbH & Co. KG - The OpenCms Experts
> http://www.alkacon.com - http://www.opencms.org
>
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> https://lists.opencms.org/mailman/listinfo/opencms-dev
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opencms.org/pipermail/opencms-dev/attachments/20211213/0cbd3511/attachment.htm>
More information about the opencms-dev
mailing list