In December 2021, a serious security vulnerability in the Log4j Java library was disclosed.
The issue has been fixed in OpenCms Version 13 and newer. Installations using older OpenCms Versions may be affected if they have not been updated.
Log4j is a widely used logging library for Java applications also used by OpenCms to aggregate log data.
On December 2021, a zero-day vulnerability involving arbitrary code execution in Log4j 2 was published. This vulnerability, which was later listed with ID CVE-2021-44228 in the National Vulnerability Database, has been characterized as "the single biggest, most critical vulnerability of the last decade".
Starting with OpenCms 13 (available in 2022), the Log4j vulnerability is not present any more. There is nothing to do.
OpenCms 11 and 12 integrate a Log4j 2 version that is affected by the security vulnerability.
In order to solve the vulnerability, do the following:
1. Stop OpenCms
2. In your {TOMCAT_HOME}/WEB-INF/lib/ folder, replace the following Log4j libraries
log4j-api-2.x.x.jar log4j-core-2.x.x.jar log4j-jcl-2.x.x.jar log4j-slf4j-impl-2.x.x.jar
with the most recent ones from https://logging.apache.org/log4j/2.x/download.html
3. Start OpenCms
OpenCms 10.5.x and older integrate a Log4j 1 version that was not affected by the security vulnerability as long as you did not change the OpenCms Log4j default configuration.
If you did change the OpenCms Log4j default configuration, or to be absolutely sure, do the following:
1. Stop OpenCms
2. Remove the JMS appender class from the Log4j JAR file:
zip -q -d {TOMCAT_HOME}/WEB-INF/lib/log4j-1.x.x.jar org/apache/log4j/net/JMSAppender.class
3. Start OpenCms
