As an addition, the JVM parameter to disable the lookup does not work
for log4j versions < 2.10.
Best regards,
Michael Brohl
ecomify GmbH - www.ecomify.de
Am 14.12.21 um 23:07 schrieb Carsten Schinzer:
Hi,
checking the link to Jacques' commit, indeed this is the preferred
option and OFBiz appears to support the upgrade to log4j 2.15 (contains the
patch).
If for some reason you fall into dependencies with earlier versions of
OFBiz, there also is a mitigation to set a runtime parameter
targeting log4j's JNDI lookup configuration, so you would need to check the
startup script and add this specific parameter.
Hope this helps,
warm regards
Carsten
---
Dr. Carsten Schinzer
*Inhaber*
t +49 89 88569642 | f +49 89 99964059 | m +49 159 05269462
DCS Verkaufssysteme
Gerner Str. 27 | 80638 München | Germany
Am Di., 14. Dez. 2021 um 20:26 Uhr schrieb Benjamin Major <
[email protected]>:
My plan is to implement the same changes Jacques made on this commit in my
17.12 instance:
https://github.com/apache/ofbiz-framework/commit/bccf14066cb2ca6fc5861eb457d06a2d0429d00b
Hope this helps,
-Ben
-----Original Message-----
From: Mo <[email protected]>
Sent: Tuesday, December 14, 2021 1:44 PM
To: [email protected]
Subject: LOG4J vulnerability
Hi Team,
By now, you have all heard about log4j vulnerability:
https://urldefense.com/v3/__https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/__;!!EJa4QJeSQriN6rihOlMA!nTqxZLfyCLC5vmpcDQg0QH8m6OPkD3pLDQ4w1IoIpI5NVqORyEc0e-0kYC1fAL-JzVb2mwNO$
Do we know how this does impact ofbiz customer installations? And how to
solve?
Many thanks
Mo.
