Menu
▾
▴
Re: [Exist-open] log4j2 vulnerability
|
From: Omar S. <Oma...@oe...> - 2021-12-16 08:52:58
|
Hi all, Am 16.12.2021 um 09:39 schrieb Josef Wetzel UL via Exist-open: > Hi Pietro > > I think this procedure corresponds fully to Apaches recommendation and > should work as expected. Replacing the jars is maybe not completely > satisfying. Sorry, but this changed yesterday. Apache now explicitly recommends replaceing the log4j 2 jars with 2.16.0. It seems there are ways to exploit this that do not rely on JNDI. https://logging.apache.org/log4j/2.x/ The solution on MacOS is quite similar with really replacing the jars I think: Got into your App package eXist-db.app/Contents/Java and replace the log4j jars with those of the 2.16.0 binary distribution from Apache. > > Josef If you don't use MacOS as your public server OS you probably can opt to leave exist-db alone because you probably don't compromise your own development machine. But the choice here is a bit uncertain. Maybe some malicious code will find exist and use it if unpatched. If you install exist-db on a server like on a dev machine you can use pretty much the same steps there. If you use containers >= 5.0.0 on the server it is very different because they work with one uber jar und you don't see the individual jars anymore. Best regards -- Mag. Ing. Omar Siam Austrian Center for Digital Humanities and Cultural Heritage Österreichische Akademie der Wissenschaften | Austrian Academy of Sciences Stellvertretende Behindertenvertrauensperson | Deputy representative for disabled persons Wohllebengasse 12-14, 1040 Wien, Österreich | Vienna, Austria T: +43 1 51581-7295 oma...@oe... | www.oeaw.ac.at/acdh |
