The vulnerability allows attackers to execute their own program code on the target system.
The vulnerability is extremely serious because it can be exploited in a technically trivial way.
In December 2021, a security vulnerability in the Log4j Java library was disclosed.
Log4j is a widely used logging library for Java applications also used by OpenCms to aggregate log data.
Originally, an IT security service provider reported the vulnerability, which was later listed with ID CVE-2021-44228 in the National Vulnerability Database.
The vulnerability allows attackers to execute their own program code on the target system.
The vulnerability is extremely serious because it can be exploited in a technically trivial way.
Almost all Log4j versions are affected.
Log4j of version 2 is vulnerable starting with version 2.0 through 2.14.1.
Log4j of version 1 is not vulnerable by default but is if a JMS appender is configured.
OpenCms 11 and newer integrates Log4j 2 and is thus vulnerable.
OpenCms 10.5.x and older integrate Log4j 1 and is thus not vulnerable by default.
Starting with OpenCms 13 (available in 2022), the Log4j vulnerability is not present any more. There is nothing to do.
Stop OpenCms.
In your {TOMCAT_HOME}/WEB-INF/lib/
folder, replace the currently used Log4j libraries
log4j-api-2.x.x.jar log4j-core-2.x.x.jar log4j-jcl-2.x.x.jar log4j-slf4j-impl-2.x.x.jar
with the most recent ones from https://logging.apache.org/log4j/2.x/download.html
log4j-api-2.17.1.jar log4j-core-2.17.1.jar log4j-jcl-2.17.1.jar log4j-slf4j-impl-2.17.1.jar
(At least Log4j version 2.16 is required.)
Start OpenCms.
If you did not change the OpenCms Log4j default configuration there is nothing to do.
Otherwise, or to be absolutely sure:
Stop OpenCms.
Remove the JMS appender class from the Log4j JAR file:
zip -q -d {TOMCAT_HOME}/WEB-INF/lib/log4j-1.x.x.jar org/apache/log4j/net/JMSAppender.class
Start OpenCms.