Menu
▾
▴
Re: [Exist-open] log4j2 vulnerability
|
From: David B. <dj...@gm...> - 2021-12-11 22:08:52
|
Will upgrading to the nightly build dated 2021-12-11 mitigate the problem, or does that version also require the patching described below?
> On Dec 11, 2021, at 3:59 PM, Juri Leino <ju...@ex...> wrote:
>
>
> I believe everyone has heard about the critical vulnerability in log4j2 at this point.
>
> Even if you did upgrade your Java version (later than JDK 8u191 for Java 8) please consider additional actions to mitigate the log4j2 vulnerabilty (applies to all versions of exist 5):
>
> - navigate to the home folder of your exist instance (might be in $EXIST_HOME)
>
> - open etc/log4j2.xml in a text editor and
> replace _all occurrences_ of "%m" with "%m{noLookups}"
>
> - additionally or if the above cannot be applied for some reason run
>
> zip -q -d lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
>
> To remove the JndiLookup alltogether.
>
> The exist db must be restarted for these changes to take effect.
>
> Source: https://logging.apache.org/log4j/2.x/security.html
> _______________________________________________
> Exist-open mailing list
> Exi...@li...
> https://lists.sourceforge.net/lists/listinfo/exist-open
|
