[opencms-dev] OpenCms and log4j

Michael Emmerich m.emmerich at alkacon.com
Wed Dec 15 06:02:36 CET 2021


Hello Ilya,

yes, you just have to replace the four jar files with the newer versions 
and restart tomcat. And Version 2.16 works fine as well, so this one 
should be used now.

You just have to take care that you delete the old versions and do not 
have both in the /lib folder.

Kind regards,

Michael



Am 15.12.21 um 02:08 schrieb francev:
> Re: [opencms-dev] OpenCms and log4j Hello,
>
> Thanks, Michael, for your recommendations, I'm new to java and Linux, 
> I want to be sure that I won't break anything....
>
> > with the most recent ones from
> > https://logging.apache.org/log4j/2.x/download.html
> > log4j-api-2.15.0.jar
> > log4j-core-2.15.0.jar
> > log4j-jcl-2.15.0.jar
> > log4j-slf4j-impl-2.15.0.jar
>
> Just replace the new jar's (it's version 2.16.0 now) and restart 
> Tomcat? Right? No changes required in config files?
>
> Thanks in advance,
> best regards Ilya
>
>
>
> *> Hello,
>
> > regarding the log4j security issue, the following actions should be 
> taken:
>
> > OpenCms 10.5.x or older: Those versions still use the "old" log4j 1.
> > Based on what is known today (Dec 13), log4j 1 is not affected by the
> > current security issue.
>
> > OpenCms 11 or newer. Those versions of OpenCms use the critical log4j
> > versions. Therefore the following steps should be taken:
>
> > 1) Add "-Dlog4j.formatMsgNoLookups=true"  as a Java-startup parameter
>
> > 2) Replace the currently used log4j jars
>
> > log4j-api-2.10.0.jar
> > log4j-core-2.10.0.jar
> > log4j-jcl-2.10.0.jar
> > log4j-slf4j-impl-2.10.0.jar
>
> > with the most recent ones from
> *> https://logging.apache.org/log4j/2.x/download.html 
> <https://logging.apache.org/log4j/2.x/download.html>
>
> *> log4j-api-2.15.0.jar
> > log4j-core-2.15.0.jar
> > log4j-jcl-2.15.0.jar
> > log4j-slf4j-impl-2.15.0.jar
>
> > We will provide an updated OpenCms version with the new log4j libs.
>
> > Kind regards,
>
> > Michael
>
>
>
> *
>
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> https://lists.opencms.org/mailman/listinfo/opencms-dev
>
>
>
-- 
Kind Regards
Michael.
-------------------
Michael Emmerich
Alkacon Software GmbH & Co. KG - The OpenCms Experts
http://www.alkacon.com  -http://www.opencms.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opencms.org/pipermail/opencms-dev/attachments/20211215/988e7e7b/attachment.htm>


More information about the opencms-dev mailing list