Log4j in OFBiz

[Bs Serge <se...@gmail.com>]

Hi all,

I’m sure all of you are aware of what’s going with the Log4j security
vulnerability, If not then :

- https://www.wired.com/story/log4j-flaw-hacking-internet/
-
https://logging-apache-org.translate.goog/log4j/2.x/security.html?_x_tr_sl=de&_x_tr_tl=en&_x_tr_hl=en-US

So some of us are wondering :

Does this affect at least some versions of OFBiz? and What can one do to
make sure that they are safe from this vulnerability?

Best Regards,

Re: Log4j in OFBiz

[Nicolas Malin <ni...@nereide.fr>]

Hello,
OFBiz is affected by this.
This week-end we publish a corrective version 18.12.03 [1], and the
trunk has been also corrected(many thanks to Jacques !)

If you want to fix your OFBiz version, update your log4j dependencies to
version 2.15.0.

You can check the Jacques's commit
64a0b6e8d04b936f472b418cc8847c03b462d3a0 for more details

Nicolas

[1] https://dlcdn.apache.org/ofbiz/apache-ofbiz-18.12.03.zip
[2]
https://github.com/apache/ofbiz-framework/commit/64a0b6e8d04b936f472b418cc8847c03b462d3a0
On 13/12/2021 09:50, Bs Serge wrote:
> Hi all,
>
> I’m sure all of you are aware of what’s going with the Log4j security
> vulnerability, If not then :
>
> - https://www.wired.com/story/log4j-flaw-hacking-internet/
> -
> https://logging-apache-org.translate.goog/log4j/2.x/security.html?_x_tr_sl=de&_x_tr_tl=en&_x_tr_hl=en-US
>
> So some of us are wondering :
>
> Does this affect at least some versions of OFBiz? and What can one do to
> make sure that they are safe from this vulnerability?
>
> Best Regards,
>