Menu
▾
▴
Re: [Exist-open] log4j2 vulnerability
|
From: Michael W. <wes...@ja...> - 2021-12-11 23:41:46
|
Thank you, Juri.
I had downloaded Log4J 2.15.0 in preparation, but hadn't yet removed the
2.14.1 jars as I needed to test first. This helps speed things up.
Thank you again.
Take care.
2021年12月12日(日) 5:59 Juri Leino <ju...@ex...>:
> I believe everyone has heard about the critical vulnerability in log4j2 at
> this point.
>
> Even if you did upgrade your Java version (later than JDK 8u191 for Java
> 8) please consider additional actions to mitigate the log4j2 vulnerabilty
> (applies to all versions of exist 5):
>
> - navigate to the home folder of your exist instance (might be in
> $EXIST_HOME)
>
> - open etc/log4j2.xml in a text editor and
> replace _all occurrences_ of "%m" with "%m{noLookups}"
>
> - additionally or if the above cannot be applied for some reason run
>
> zip -q -d lib/log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class
>
> To remove the JndiLookup alltogether.
>
> The exist db must be restarted for these changes to take effect.
>
> Source: https://logging.apache.org/log4j/2.x/security.html
> _______________________________________________
> Exist-open mailing list
> Exi...@li...
> https://lists.sourceforge.net/lists/listinfo/exist-open
>
--
Michael Westbay
Writer/System Administrator
http://www.japanesebaseball.com/
|
