Hi all, apologies for the cross-posting, please see below notice on how to mitigate recent Log4J's RCE on existing JSPWiki 2.11.0 installations.
************************************************************************************* 2021-12-13, Apache JSPWiki affected by Apache Log4J CVE-2021-44228 Severity: Critical Versions Affected: 2.11.0 Description: Apache JSPWiki, 2.11.0 release is using a bundled version of the Apache Log4J library vulnerable to Remote Code Execution. For full impact and additional detail consult the Log4J security page. Apache JSPWiki releases prior to 2.11.0 use Log4J 1.2.17 which may be vulnerable for installations using non-default logging configurations that include the JMS Appender, see https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 for discussion. Mitigation: Any of the following are enough to prevent this vulnerability for Apache JSPWiki installations: * Upgrade to upcoming Apache JSPWiki 2.11.1, which will include an updated version of the log4j2 dependency. Alternatively, you can build 2.11.1-git-02 from master branch which also includes the updated dependency. * Manually update the version of Log4J2 on your runtime classpath and restart your JSPWiki application. * Adding the -Dlog4j2.formatMsgNoLookups=true to the JVM launching the application (f.ex., adding it to the CATALINA_OPTS variable under tomcat). As noted above, an upcoming release of Apache JSPWiki 2.11.1 with the updated library is to be expected this week. References: https://logging.apache.org/log4j/2.x/security.html ************************************************************************************** best regards, juan pablo