Log4j Security Vulnerability

In OpenCms since: 6.0 Documented since: 12.0 Latest revision for: 12.0 Valid for OpenCms: 13.0

In December 2021, a security vulnerability in the Log4j Java library was disclosed.

Log4j is a widely used logging library for Java applications also used by OpenCms to aggregate log data.

Originally, an IT security service provider reported the vulnerability, which was later listed with ID CVE-2021-44228 in the National Vulnerability Database.

Page Navigation

What is it?
Which versions are affacted?
What do I have to do?
- OpenCms Versions 11 and newer
- OpenCms Version 10.5.x and older

What is it?

The vulnerability allows attackers to execute their own program code on the target system.

The vulnerability is extremely serious because it can be exploited in a technically trivial way.

Which versions are affacted?

Almost all Log4j versions are affected.

Log4j of version 2 is vulnerable starting with version 2.0 through 2.14.1.

Log4j of version 1 is not vulnerable by default but is if a JMS appender is configured.

OpenCms 11 and newer integrates Log4j 2 and is thus vulnerable.

OpenCms 10.5.x and older integrate Log4j 1 and is thus not vulnerable by default.

What do I have to do?

Starting with OpenCms 13 (available in 2022), the Log4j vulnerability is not present any more. There is nothing to do.

OpenCms Versions 11 and newer

Stop OpenCms.

In your {TOMCAT_HOME}/WEB-INF/lib/ folder, replace the currently used Log4j libraries

log4j-api-2.x.x.jar
log4j-core-2.x.x.jar
log4j-jcl-2.x.x.jar
log4j-slf4j-impl-2.x.x.jar

with the most recent ones from https://logging.apache.org/log4j/2.x/download.html

log4j-api-2.17.1.jar
log4j-core-2.17.1.jar
log4j-jcl-2.17.1.jar
log4j-slf4j-impl-2.17.1.jar

(At least Log4j version 2.16 is required.)

Start OpenCms.

OpenCms Version 10.5.x and older

If you did not change the OpenCms Log4j default configuration there is nothing to do.

Otherwise, or to be absolutely sure: