[ofbiz-framework] branch trunk updated: Fixed: [SECURITY] CVE-2021-45105: Apache Log4j2 (OFBIZ-12470)

Sun, 19 Dec 2021 00:06:36 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 3e05cf0  Fixed: [SECURITY] CVE-2021-45105: Apache Log4j2 (OFBIZ-12470)
3e05cf0 is described below

commit 3e05cf0443449836fd6f2b0df4a5432017df4c92
Author: Jacques Le Roux <[email protected]>
AuthorDate: Sun Dec 19 08:48:55 2021 +0100

    Fixed: [SECURITY] CVE-2021-45105: Apache Log4j2 (OFBIZ-12470)
    
    The configuration seems to have changed.
    
    log4j-slf4j18-impl available in Maven as 2.16.0 is not in 2.17.0.
    Also log4j-web is now needed.
    
    I was guided by this block in console.log of trunk demo:
    Caused by: java.lang.NoClassDefFoundError: 
org/apache/logging/log4j/core/util/SetUtils
        at 
org.apache.logging.log4j.web.Log4jWebInitializerImpl.getConfigURI(Log4jWebInitializerImpl.java:196)
        at 
org.apache.logging.log4j.web.Log4jWebInitializerImpl.initializeNonJndi(Log4jWebInitializerImpl.java:175)
        at 
org.apache.logging.log4j.web.Log4jWebInitializerImpl.start(Log4jWebInitializerImpl.java:112)
        at 
org.apache.logging.log4j.web.Log4jServletContainerInitializer.onStartup(Log4jServletContainerInitializer.java:57)
        at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5219)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
    
    I'll dbl-check why, notably about log4j-slf4j18-impl.
    At least it works well like that.
---
 build.gradle | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 6a07fcc..2e2ce49 100644
--- a/build.gradle
+++ b/build.gradle
@@ -258,7 +258,8 @@ dependencies {
     runtimeOnly 'org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec:2.1'
     runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.17.0' // for 
external jars using the old log4j1.2: routes logging to log4j 2
     runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.17.0' // for external 
jars using the java.util.logging: routes logging to log4j 2
-    runtimeOnly 'org.apache.logging.log4j:log4j-slf4j18-impl:2.17.0' // for 
external jars using slf4j: routes logging to log4j 2
+    runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.0' // for 
external jars using slf4j: routes logging to log4j 2
+    runtimeOnly 'org.apache.logging.log4j:log4j-web:2.17.0' //???
     runtimeOnly 'org.apache.logging.log4j:log4j-jcl:2.17.0' // need to 
constrain to version to avoid classpath conflict (ReflectionUtil)
     runtimeOnly 'org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380'

Reply via email to