[opencms-dev] OpenCms and log4j

Ramon Gavira Sáenz ramon.gavira at sagasoluciones.com
Mon Dec 13 16:29:47 CET 2021 

Thanx!

To be sure we have eliminated JMSAppender from jar and everything seems to work fine.

zip -q -d log4j-1.2.17.jar org/apache/log4j/net/JMSAppender.class

Ramón

De: opencms-dev <opencms-dev-bounces at opencms.org> En nombre de Michael Emmerich
Enviado el: lunes, 13 de diciembre de 2021 15:19
Para: opencms-dev at opencms.org
Asunto: Re: [opencms-dev] OpenCms and log4j


Ramon,

as far as I understand it, this is only an issue in the old version if you use an JMSAppender, which OpenCms goes not do in its normal logging configuration. There the RollingFileAppender is used.

So, unless you have not reconfigured your logging in a way that it uses the JMSAppender, OpenCms 10.5.x or older should not be affected - at least as we know today.

Kind regards,

Michael






Am 13.12.21 um 12:18 schrieb Ramon Gavira:
Hello Micheal, it seems that it affects "Old Versions"... look:

https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126

Is this right?

El lun, 13 dic 2021 a las 9:52, Michael Emmerich (<m.emmerich at alkacon.com<mailto:m.emmerich at alkacon.com>>) escribió:
Hello,

regarding the log4j security issue, the following actions should be taken:

OpenCms 10.5.x or older: Those versions still use the "old" log4j 1.
Based on what is known today (Dec 13), log4j 1 is not affected by the
current security issue.

OpenCms 11 or newer. Those versions of OpenCms use the critical log4j
versions. Therefore the following steps should be taken:

1) Add "-Dlog4j.formatMsgNoLookups=true"  as a Java-startup parameter

2) Replace the currently used log4j jars

log4j-api-2.10.0.jar
log4j-core-2.10.0.jar
log4j-jcl-2.10.0.jar
log4j-slf4j-impl-2.10.0.jar

with the most recent ones from
https://logging.apache.org/log4j/2.x/download.html

log4j-api-2.15.0.jar
log4j-core-2.15.0.jar
log4j-jcl-2.15.0.jar
log4j-slf4j-impl-2.15.0.jar

We will provide an updated OpenCms version with the new log4j libs.

Kind regards,

Michael


--
Kind Regards
Michael.
-------------------
Michael Emmerich
Alkacon Software GmbH & Co. KG - The OpenCms Experts
http://www.alkacon.com - http://www.opencms.org

_______________________________________________
This mail is sent to you from the opencms-dev mailing list
To change your list options, or to unsubscribe from the list, please visit
https://lists.opencms.org/mailman/listinfo/opencms-dev





_______________________________________________

This mail is sent to you from the opencms-dev mailing list

To change your list options, or to unsubscribe from the list, please visit

https://lists.opencms.org/mailman/listinfo/opencms-dev







--

Kind Regards

Michael.

-------------------

Michael Emmerich

Alkacon Software GmbH & Co. KG - The OpenCms Experts

http://www.alkacon.com - http://www.opencms.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opencms.org/pipermail/opencms-dev/attachments/20211213/e865d855/attachment.htm>

More information about the opencms-dev mailing list