OpenCms Documentation

Log4j Security Vulnerability

 Show GitHub edit links  Hide GitHub edit links
In OpenCms since: 6.0 Documented since: 12.0 Latest revision for: 12.0 Valid for OpenCms: 13.0

In December 2021, a security vulnerability in the Log4j Java library was disclosed.

Log4j is a widely used logging library for Java applications also used by OpenCms to aggregate log data.

Originally, an IT security service provider reported the vulnerability, which was later listed with ID CVE-2021-44228 in the National Vulnerability Database.

What is it?

The vulnerability allows attackers to execute their own program code on the target system.

The vulnerability is extremely serious because it can be exploited in a technically trivial way.

Which versions are affacted?

Almost all Log4j versions are affected.

Log4j of version 2 is vulnerable starting with version 2.0 through 2.14.1.

Log4j of version 1 is not vulnerable by default but is if a JMS appender is configured.

OpenCms 11 and newer integrates Log4j 2 and is thus vulnerable.

OpenCms 10.5.x and older integrate Log4j 1 and is thus not vulnerable by default.

What do I have to do?

Starting with OpenCms 13 (available in 2022), the Log4j vulnerability is not present any more. There is nothing to do. 

OpenCms Versions 11 and newer

Stop OpenCms.

In your {TOMCAT_HOME}/WEB-INF/lib/ folder, replace the currently used Log4j libraries


with the most recent ones from


(At least Log4j version 2.16 is required.)

Start OpenCms.

OpenCms Version 10.5.x and older

If you did not change the OpenCms Log4j default configuration there is nothing to do.

Otherwise, or to be absolutely sure:

Stop OpenCms.

Remove the JMS appender class from the Log4j JAR file:

zip -q -d {TOMCAT_HOME}/WEB-INF/lib/log4j-1.x.x.jar org/apache/log4j/net/JMSAppender.class

Start OpenCms.