Menu
▾
▴
Re: [Exist-open] log4j2 vulnerability
|
From: Josef W. UL <jwe...@hi...> - 2021-12-15 15:48:00
|
Many Thanks to Adam (and others involved) for providing 5.3.1 so quickly!
I use eXist-db 4.7.1 still in an active project. I think, I have the
following alternatives:
- Replace %m with %m{nolookups} in log4j2.xml (which I have done in all
my installations) and which as of now seems not to be sufficient
- Replace the actual jars of log4j2 with the jars of log4j2 version
2.16, can I simply replace these jars in an eXist-db-install (e.g.
eXist-db-4.7.1)?
- Wait for an updated version of eXist-db-4.7.1 (I could maybe myself
update the source tree in github, if someone could instruct me briefly :-)).
I need eXist-4.7.1 for at least a while, since my project takes
advantage of Joern Turners (et.al.) betterForm package.
Thanks
Josef Wetzel
On 11.12.21 21:32, Juri Leino wrote:
> I believe everyone has heard about the critical vulnerability in
> log4j2 at this point.
>
> Even if you did upgrade your Java version (later than JDK 8u191 for
> Java 8) please consider additional actions to mitigate the log4j2
> vulnerabilty (applies to all versions of exist 5):
>
> - navigate to the home folder of your exist instance (might be in
> $EXIST_HOME)
>
> - open etc/log4j2.xml in a text editor and
> replace _all occurrences_ of "%m" with "%m{noLookups}"
>
> - additionally or if the above cannot be applied for some reason run
>
> zip -q -d lib/log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class
>
> To remove the JndiLookup alltogether.
>
> The exist db must be restarted for these changes to take effect.
>
> Source: https://logging.apache.org/log4j/2.x/security.html
>
>
> _______________________________________________
> Exist-open mailing list
> Exi...@li...
> https://lists.sourceforge.net/lists/listinfo/exist-open
|
