[opencms-dev] OpenCms and log4j

Michael Emmerich m.emmerich at alkacon.com
Mon Dec 13 15:19:00 CET 2021


Ramon,

as far as I understand it, this is only an issue in the old version if 
you use an JMSAppender, which OpenCms goes not do in its normal logging 
configuration. There the RollingFileAppender is used.

So, unless you have not reconfigured your logging in a way that it uses 
the JMSAppender, OpenCms 10.5.x or older should not be affected - at 
least as we know today.

Kind regards,

Michael




Am 13.12.21 um 12:18 schrieb Ramon Gavira:
> Hello Micheal, it seems that it affects "Old Versions"... look:
>
> https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
>
> Is this right?
>
> El lun, 13 dic 2021 a las 9:52, Michael Emmerich 
> (<m.emmerich at alkacon.com>) escribió:
>
>     Hello,
>
>     regarding the log4j security issue, the following actions should
>     be taken:
>
>     OpenCms 10.5.x or older: Those versions still use the "old" log4j 1.
>     Based on what is known today (Dec 13), log4j 1 is not affected by the
>     current security issue.
>
>     OpenCms 11 or newer. Those versions of OpenCms use the critical log4j
>     versions. Therefore the following steps should be taken:
>
>     1) Add "-Dlog4j.formatMsgNoLookups=true"  as a Java-startup parameter
>
>     2) Replace the currently used log4j jars
>
>     log4j-api-2.10.0.jar
>     log4j-core-2.10.0.jar
>     log4j-jcl-2.10.0.jar
>     log4j-slf4j-impl-2.10.0.jar
>
>     with the most recent ones from
>     https://logging.apache.org/log4j/2.x/download.html
>
>     log4j-api-2.15.0.jar
>     log4j-core-2.15.0.jar
>     log4j-jcl-2.15.0.jar
>     log4j-slf4j-impl-2.15.0.jar
>
>     We will provide an updated OpenCms version with the new log4j libs.
>
>     Kind regards,
>
>     Michael
>
>
>     -- 
>     Kind Regards
>     Michael.
>     -------------------
>     Michael Emmerich
>     Alkacon Software GmbH & Co. KG - The OpenCms Experts
>     http://www.alkacon.com - http://www.opencms.org
>
>     _______________________________________________
>     This mail is sent to you from the opencms-dev mailing list
>     To change your list options, or to unsubscribe from the list,
>     please visit
>     https://lists.opencms.org/mailman/listinfo/opencms-dev
>
>
>
>
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> https://lists.opencms.org/mailman/listinfo/opencms-dev
>
>
>
-- 
Kind Regards
Michael.
-------------------
Michael Emmerich
Alkacon Software GmbH & Co. KG - The OpenCms Experts
http://www.alkacon.com  -http://www.opencms.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opencms.org/pipermail/opencms-dev/attachments/20211213/54718506/attachment.htm>


More information about the opencms-dev mailing list