[opencms-dev] OpenCms and log4j

Michael Emmerich m.emmerich at alkacon.com
Mon Dec 13 14:59:55 CET 2021


Christoph,

if you update the log4j to 2.15, the startup parameter is not required 
as this version is not vulnerable to the issue.

The startup parameter (I have such parameters in my CATALINA_OPTS of my 
start script) must be use if you do not update the .jars. However, I 
prefer using the new .jar files.

Kind regards,

Michael




Am 13.12.21 um 12:09 schrieb Christoph Kukulies:
> Thanks, Michael, for the recipe. Just to be sure where the java 
> startup parameters are located
> could you please point to the file in question and give an example? Is 
> that
>
> /usr/share/tomcat9/bin/catalina.sh
>
> Or should one create a setenv.sh in the above directory and put a line
>
> JAVA_OPTS=-Dlog4j.formatMsgNoLookups=true
>
> in there?
>
>> Christoph
>
>> Am 13.12.2021 um 09:52 schrieb Michael Emmerich <m.emmerich at alkacon.com>:
>>
>> Hello,
>>
>> regarding the log4j security issue, the following actions should be 
>> taken:
>>
>> OpenCms 10.5.x or older: Those versions still use the "old" log4j 1. 
>> Based on what is known today (Dec 13), log4j 1 is not affected by the 
>> current security issue.
>>
>> OpenCms 11 or newer. Those versions of OpenCms use the critical log4j 
>> versions. Therefore the following steps should be taken:
>>
>> 1) Add "-Dlog4j.formatMsgNoLookups=true"  as a Java-startup parameter
>>
>> 2) Replace the currently used log4j jars
>>
>> log4j-api-2.10.0.jar
>> log4j-core-2.10.0.jar
>> log4j-jcl-2.10.0.jar
>> log4j-slf4j-impl-2.10.0.jar
>>
>> with the most recent ones from 
>> https://logging.apache.org/log4j/2.x/download.html
>>
>> log4j-api-2.15.0.jar
>> log4j-core-2.15.0.jar
>> log4j-jcl-2.15.0.jar
>> log4j-slf4j-impl-2.15.0.jar
>>
>> We will provide an updated OpenCms version with the new log4j libs.
>>
>> Kind regards,
>>
>> Michael
>>
>>
>> -- 
>> Kind Regards
>> Michael.
>> -------------------
>> Michael Emmerich
>> Alkacon Software GmbH & Co. KG - The OpenCms Experts
>> http://www.alkacon.com - http://www.opencms.org
>
>
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> https://lists.opencms.org/mailman/listinfo/opencms-dev
>
>
>
-- 
Kind Regards
Michael.
-------------------
Michael Emmerich
Alkacon Software GmbH & Co. KG - The OpenCms Experts
http://www.alkacon.com  -http://www.opencms.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opencms.org/pipermail/opencms-dev/attachments/20211213/9857687a/attachment.htm>


More information about the opencms-dev mailing list