[opencms-dev] OpenCms and log4j
francev
francev at baikal.ru
Wed Dec 15 02:08:19 CET 2021
Hello,
Thanks, Michael, for your recommendations, I'm new to java and Linux, I want to be sure that I won't break anything....
> with the most recent ones from
> https://logging.apache.org/log4j/2.x/download.html
> log4j-api-2.15.0.jar
> log4j-core-2.15.0.jar
> log4j-jcl-2.15.0.jar
> log4j-slf4j-impl-2.15.0.jar
Just replace the new jar's (it's version 2.16.0 now) and restart Tomcat? Right? No changes required in config files?
Thanks in advance,
best regards Ilya
> Hello,
> regarding the log4j security issue, the following actions should be taken:
> OpenCms 10.5.x or older: Those versions still use the "old" log4j 1.
> Based on what is known today (Dec 13), log4j 1 is not affected by the
> current security issue.
> OpenCms 11 or newer. Those versions of OpenCms use the critical log4j
> versions. Therefore the following steps should be taken:
> 1) Add "-Dlog4j.formatMsgNoLookups=true" as a Java-startup parameter
> 2) Replace the currently used log4j jars
> log4j-api-2.10.0.jar
> log4j-core-2.10.0.jar
> log4j-jcl-2.10.0.jar
> log4j-slf4j-impl-2.10.0.jar
> with the most recent ones from
> https://logging.apache.org/log4j/2.x/download.html
> log4j-api-2.15.0.jar
> log4j-core-2.15.0.jar
> log4j-jcl-2.15.0.jar
> log4j-slf4j-impl-2.15.0.jar
> We will provide an updated OpenCms version with the new log4j libs.
> Kind regards,
> Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opencms.org/pipermail/opencms-dev/attachments/20211215/eeea2cb6/attachment.htm>
More information about the opencms-dev
mailing list