[jira] [Commented] (OFBIZ-12470) [SECURITY] CVE-2021-45105: Apache Log4j2

Sun, 19 Dec 2021 00:07:06 -0800 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-12470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17462098#comment-17462098
 ] 

ASF subversion and git services commented on OFBIZ-12470:
---------------------------------------------------------

Commit 3e05cf0443449836fd6f2b0df4a5432017df4c92 in ofbiz-framework's branch 
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=3e05cf0 ]

Fixed: [SECURITY] CVE-2021-45105: Apache Log4j2 (OFBIZ-12470)

The configuration seems to have changed.

log4j-slf4j18-impl available in Maven as 2.16.0 is not in 2.17.0.
Also log4j-web is now needed.

I was guided by this block in console.log of trunk demo:
Caused by: java.lang.NoClassDefFoundError: 
org/apache/logging/log4j/core/util/SetUtils
        at 
org.apache.logging.log4j.web.Log4jWebInitializerImpl.getConfigURI(Log4jWebInitializerImpl.java:196)
        at 
org.apache.logging.log4j.web.Log4jWebInitializerImpl.initializeNonJndi(Log4jWebInitializerImpl.java:175)
        at 
org.apache.logging.log4j.web.Log4jWebInitializerImpl.start(Log4jWebInitializerImpl.java:112)
        at 
org.apache.logging.log4j.web.Log4jServletContainerInitializer.onStartup(Log4jServletContainerInitializer.java:57)
        at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5219)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)

I'll dbl-check why, notably about log4j-slf4j18-impl.
At least it works well like that.


> [SECURITY] CVE-2021-45105: Apache Log4j2
> ----------------------------------------
>
>                 Key: OFBIZ-12470
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12470
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL COMPONENTS
>    Affects Versions: 18.12.04
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Blocker
>
> CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 does not 
> protect from uncontrolled recursion from self-referential lookups. This 
> allows an attacker with control over Thread Context Map data to cause a 
> denial of service when a crafted string is interpreted. This issue is fixed 
> in Log4j 2.17.0.: https://logging.apache.org/log4j/2.x/security.html



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to