This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push: new 3e05cf0 Fixed: [SECURITY] CVE-2021-45105: Apache Log4j2 (OFBIZ-12470) 3e05cf0 is described below commit 3e05cf0443449836fd6f2b0df4a5432017df4c92 Author: Jacques Le Roux <jacques.le.r...@les7arts.com> AuthorDate: Sun Dec 19 08:48:55 2021 +0100 Fixed: [SECURITY] CVE-2021-45105: Apache Log4j2 (OFBIZ-12470) The configuration seems to have changed. log4j-slf4j18-impl available in Maven as 2.16.0 is not in 2.17.0. Also log4j-web is now needed. I was guided by this block in console.log of trunk demo: Caused by: java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/util/SetUtils at org.apache.logging.log4j.web.Log4jWebInitializerImpl.getConfigURI(Log4jWebInitializerImpl.java:196) at org.apache.logging.log4j.web.Log4jWebInitializerImpl.initializeNonJndi(Log4jWebInitializerImpl.java:175) at org.apache.logging.log4j.web.Log4jWebInitializerImpl.start(Log4jWebInitializerImpl.java:112) at org.apache.logging.log4j.web.Log4jServletContainerInitializer.onStartup(Log4jServletContainerInitializer.java:57) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5219) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) I'll dbl-check why, notably about log4j-slf4j18-impl. At least it works well like that. --- build.gradle | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 6a07fcc..2e2ce49 100644 --- a/build.gradle +++ b/build.gradle @@ -258,7 +258,8 @@ dependencies { runtimeOnly 'org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec:2.1' runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.17.0' // for external jars using the old log4j1.2: routes logging to log4j 2 runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.17.0' // for external jars using the java.util.logging: routes logging to log4j 2 - runtimeOnly 'org.apache.logging.log4j:log4j-slf4j18-impl:2.17.0' // for external jars using slf4j: routes logging to log4j 2 + runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.0' // for external jars using slf4j: routes logging to log4j 2 + runtimeOnly 'org.apache.logging.log4j:log4j-web:2.17.0' //??? runtimeOnly 'org.apache.logging.log4j:log4j-jcl:2.17.0' // need to constrain to version to avoid classpath conflict (ReflectionUtil) runtimeOnly 'org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380'