Menu
▾
▴
Re: [Exist-open] log4j2 vulnerability
|
From: Clark, A. <as....@no...> - 2021-12-14 21:59:44
|
Hi all, Tech Services here shared this security notice with me: https://logging.apache.org/log4j/2.x/security.html Essentially, the Log4J attack vector is wider than previously understood. The previously-reported solutions (including `log4j2.formatMsgNoLookups` and `%m{nolookups}`) are insufficient. The patch version of eXist (v5.3.1) upgraded Log4J to v2.15.0, but Log4J v2.16 is now recommended. Until the next patch version of eXist is released, either * manually upgrade Log4J to version 2.16.0, or * remove the JNDI lookup class from Log4J, using the command `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`. Hope this helps other people. Warmly, Ash Ash Clark (my pronoun.is/e/em/eir<http://pronoun.is/e/em/eir>) XML Applications Developer Digital Scholarship Group Northeastern University Libraries as....@no... (617) 373-5983 ________________________________ From: Mathias Göbel <go...@su...> Sent: Sunday, December 12, 2021 2:17 PM To: exi...@li... <exi...@li...> Subject: Re: [Exist-open] log4j2 vulnerability Hey Juri, can you explain why adding the system property is not sufficient in the case of existdb? I added the recommended parameter "-Dlog4j2.formatMsgNoLookups" to the $JAVA_OPTS. Also I guess that setting this parameter as Property in log4j2.xml configuration file might also be one alternative. best, Mathias On 11.12.21 21:32, Juri Leino wrote: "%m" with "%m{noLookups}" -- Mathias Göbel University of Göttingen c .ivü-ö- Library D-37070 Göttingen Research and Development Papendiek 14 (hist. Building, Room 2.408<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flageplan.uni-goettingen.de%2F%3Fident%3D7209_4_2.OG_2.408&data=04%7C01%7Cas.clark%40northeastern.edu%7Cdeebcc88ce4b4b78bb3308d9bda6d90a%7Ca8eec281aaa34daeac9b9a398b9215e7%7C0%7C0%7C637749347307644527%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=WAyRy7G1dMKY%2FJqguvfV2EoENRUorQEpvE1OVFVlzy4%3D&reserved=0>) +49 551 39-25823 (Tel., Wednesday to Friday) +49 551 39-33856 (Fax.) Digital Library Software and Service Development Platz der Göttinger Sieben 1 (Central Library, Room 2.129<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flageplan.uni-goettingen.de%2F%3Fident%3D5383_1_2.OG_2.129&data=04%7C01%7Cas.clark%40northeastern.edu%7Cdeebcc88ce4b4b78bb3308d9bda6d90a%7Ca8eec281aaa34daeac9b9a398b9215e7%7C0%7C0%7C637749347307654484%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=zcvvY8hHWREBLOYdadyBOrQYdPDydkzGAECdK8CWG%2BY%3D&reserved=0>) +49 551 39-10230 (Tel., Monday/Tuesday) go...@su...<mailto:goebel@sub.uni= %20%20%20%20%20%20%20%20%20%20-goettingen.de> http://www.sub.uni-goettingen.de<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.sub.uni-goettingen.de%2Fen%2Fnews%2F&data=04%7C01%7Cas.clark%40northeastern.edu%7Cdeebcc88ce4b4b78bb3308d9bda6d90a%7Ca8eec281aaa34daeac9b9a398b9215e7%7C0%7C0%7C637749347307654484%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=BbZEf7R4WvUJ5bPx5dfg7ExpuiB4bNtadSEoH9lw1Ok%3D&reserved=0> |
