Log4j Security Vulnerability
In December 2021, a security vulnerability in the Log4j Java library was disclosed.
Log4j is a widely used logging library for Java applications also used by OpenCms to aggregate log data.
Originally, an IT security service provider reported the vulnerability, which was later listed with ID CVE-2021-44228 in the National Vulnerability Database.
Which versions are affacted?
Almost all Log4j versions are affected.
Log4j of version 2 is vulnerable starting with version 2.0 through 2.14.1.
Log4j of version 1 is not vulnerable by default but is if a JMS appender is configured.
OpenCms 11 and newer integrates Log4j 2 and is thus vulnerable.
OpenCms 10.5.x and older integrate Log4j 1 and is thus not vulnerable by default.
OpenCms Versions 11 and newer
Stop OpenCms.
In your {TOMCAT_HOME}/WEB-INF/lib/
folder, replace the currently used Log4j libraries
log4j-api-2.x.x.jar log4j-core-2.x.x.jar log4j-jcl-2.x.x.jar log4j-slf4j-impl-2.x.x.jar
with the most recent ones from https://logging.apache.org/log4j/2.x/download.html
log4j-api-2.17.1.jar log4j-core-2.17.1.jar log4j-jcl-2.17.1.jar log4j-slf4j-impl-2.17.1.jar
(At least Log4j version 2.16 is required.)
Start OpenCms.