Menu
▾
▴
Re: [Exist-open] log4j2 vulnerability
|
From: Pietro L. <pie...@gm...> - 2021-12-16 06:54:01
|
Thanks!
I tried both and I stumbled upon the fact that there seem to be no $EXIST_HOME set on my computer.
This command, run from several locations, using find with several context always gives me the same „nothing to do“ result.
So, I gave up and I tried another way. I am not sure that it is an admissible thing to do, neither that it works, that is why I am sharing it, i.e. for sanity check since. What I am entirely sure about is that I do not know what I am doing...
After patching the log4j.xml as recommended, what I did on my MacBook 10.16 with java 1.8.0_311 to test a workaround, and I would like to try to replicate on server was
download log4j 2.16 and unpack it
open exist-db.app/Contents/Java replace the five log4j*.jar (2.13) with the ones from the downloaded new version (2.16)
open exist-db.app/Contents with an editor, search the entire folder and replace every instance of 2.13 with 2.16 (all 94 instances found are related to log4j)
I then started my exist 5.2 and everything seems to be working normally. While I hope I have „manually upgraded log4j to version 2.16". If that did what I wanted it to do, I am really not sure…
If that is a possibility, I would like to replicate it on the server… can anyone tell me if this is OK?
all best
> Am 15.12.2021 um 16:59 schrieb Peter Stadler <st...@we...>:
>
> Just for the record/convenience, I do a `find` first to take care of the different paths:
> find ${EXIST_HOME} -name log4j-core-*.jar -exec zip -q -d {} org/apache/logging/log4j/core/lookup/JndiLookup.class \;
>
> Best
> Peter
>
>> Am 15.12.2021 um 15:54 schrieb Clark, Ash <as....@no...>:
>>
>> Hi Pietro,
>>
>> You may need to be in EXIST_HOME/lib to run the command for removing the JNDI class. Sorry for the omission!
>>
>> ~Ash
>> From: Pietro Liuzzo <pie...@gm...>
>> Sent: Wednesday, December 15, 2021 2:16 AM
>> To: Clark, Ash <as....@no...>
>> Cc: Mathias Göbel <go...@su...>; exist-open <exi...@li...>
>> Subject: Re: [Exist-open] log4j2 vulnerability
>>
>> Thanks!
>>
>> I have tried to do this as well but I am told that there is nothing to do.
>> perhaps the location of that class depends on the system?
>>
>> all best
>> Pietro
>>
>> Pietro Maria Liuzzo (egli/lui,he/him,er/ihn)
>> cel (DE): +49 (0) 176 61 000 606
>> Skype: pietro.liuzzo (Quingentole)
>> ORCID: https://orcid.org/0000-0001-5714-4011
>> Academia: https://uni-hamburg.academia.edu/PietroMariaLiuzzo
>>
>>
>>
>>
>>
>>
>>> Il giorno 14 dic 2021, alle ore 22:27, Clark, Ash <as....@no...> ha scritto:
>>>
>>> zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
>>
>> _______________________________________________
>> Exist-open mailing list
>> Exi...@li...
>> https://lists.sourceforge.net/lists/listinfo/exist-open
>
|
