Hi,
checking the link to Jacques' commit, indeed this is the preferred option and OFBiz appears to support the upgrade to log4j 2.15 (contains the patch). If for some reason you fall into dependencies with earlier versions of OFBiz, there also is a mitigation to set a runtime parameter targeting log4j's JNDI lookup configuration, so you would need to check the startup script and add this specific parameter. Hope this helps, warm regards Carsten --- Dr. Carsten Schinzer *Inhaber* t +49 89 88569642 | f +49 89 99964059 | m +49 159 05269462 DCS Verkaufssysteme Gerner Str. 27 | 80638 München | Germany Am Di., 14. Dez. 2021 um 20:26 Uhr schrieb Benjamin Major < [email protected]>: > My plan is to implement the same changes Jacques made on this commit in my > 17.12 instance: > > > https://github.com/apache/ofbiz-framework/commit/bccf14066cb2ca6fc5861eb457d06a2d0429d00b > > Hope this helps, > -Ben > > -----Original Message----- > From: Mo <[email protected]> > Sent: Tuesday, December 14, 2021 1:44 PM > To: [email protected] > Subject: LOG4J vulnerability > > Hi Team, > > By now, you have all heard about log4j vulnerability: > > https://urldefense.com/v3/__https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/__;!!EJa4QJeSQriN6rihOlMA!nTqxZLfyCLC5vmpcDQg0QH8m6OPkD3pLDQ4w1IoIpI5NVqORyEc0e-0kYC1fAL-JzVb2mwNO$ > > Do we know how this does impact ofbiz customer installations? And how to > solve? > > Many thanks > > Mo. >
