Log4Shell vulnerability fix instructions
Post here questions and problems related to oXygen frameworks/document types.
Log4Shell vulnerability fix instructions
Hi,
we were notified about the latest Apache Log4j 2 critical vulnerability.
The fix instructions are provided here https://www.oxygenxml.com/security/advi ... mitigation and here https://blog.oxygenxml.com/topics/oxyge ... s_faq.html.
However, I would kindly ask you to verify if the following process is correct for our particular case.
(We are using <oXygen/> XML Editor 20.1 (on my computer, build 2020010914) on Windows 10)
- Delete the JndiLookup class from those JAR files. Please, provide an alternative command for windows. [/list]
Note: By scanning my system for log4j JAR files with
I found
c:\eXist-db\lib\log4j-core-2.14.1.jar
c:\Program Files\Oxygen XML Editor 20\lib\xproc\calabash\lib\log4j-core-2.1.jar
c:\Users\*\AppData\Roaming\com.oxygenxml\eXistdb\localhost_8080\log4j-core-2.11.0.jar
c:\Users\*\AppData\Roaming\com.oxygenxml\eXistdb\localhost_8080\log4j-core-2.14.1.jar
we were notified about the latest Apache Log4j 2 critical vulnerability.
The fix instructions are provided here https://www.oxygenxml.com/security/advi ... mitigation and here https://blog.oxygenxml.com/topics/oxyge ... s_faq.html.
However, I would kindly ask you to verify if the following process is correct for our particular case.
(We are using <oXygen/> XML Editor 20.1 (on my computer, build 2020010914) on Windows 10)
- Remove JndiLookup class from the classpath
- Delete the JndiLookup class from those JAR files. Please, provide an alternative command for windows. [/list]
Note: By scanning my system for log4j JAR files with
Code: Select all
where /r c:\ log4j-core-*.jar
c:\eXist-db\lib\log4j-core-2.14.1.jar
c:\Program Files\Oxygen XML Editor 20\lib\xproc\calabash\lib\log4j-core-2.1.jar
c:\Users\*\AppData\Roaming\com.oxygenxml\eXistdb\localhost_8080\log4j-core-2.11.0.jar
c:\Users\*\AppData\Roaming\com.oxygenxml\eXistdb\localhost_8080\log4j-core-2.14.1.jar
- Set the environment variable
Code: Select all
LOG4J_FORMAT_MSG_NO_LOOKUPS="true"
Kind regards,
Oleksii Sapov-Erlinger
Oleksii Sapov-Erlinger
Re: Log4Shell vulnerability fix instructions
Hi Oleksii,
About the problems found in the Exist data source jars, I think the first priority is to update your Exist database, please see this comment I made here:
https://github.com/oxygenxml/oxygen-log ... r/issues/2
About the jars located in "c:\Program Files\Oxygen XML Editor 20\lib\xproc\calabash\lib\" if you are not using XProc in any way you can also remove the "c:\Program Files\Oxygen XML Editor 20\lib\xproc\" folder completely.
Regards,
Radu
About the problems found in the Exist data source jars, I think the first priority is to update your Exist database, please see this comment I made here:
https://github.com/oxygenxml/oxygen-log ... r/issues/2
About the jars located in "c:\Program Files\Oxygen XML Editor 20\lib\xproc\calabash\lib\" if you are not using XProc in any way you can also remove the "c:\Program Files\Oxygen XML Editor 20\lib\xproc\" folder completely.
Regards,
Radu
Radu Coravu
<oXygen/> XML Editor
http://www.oxygenxml.com
<oXygen/> XML Editor
http://www.oxygenxml.com
Return to “SDK-API, Frameworks - Document Types”
Jump to
- Oxygen XML Editor/Author/Developer
- ↳ Feature Request
- ↳ Common Problems
- ↳ DITA (Editing and Publishing DITA Content)
- ↳ SDK-API, Frameworks - Document Types
- ↳ DocBook
- ↳ TEI
- ↳ XHTML
- ↳ Other Issues
- Oxygen XML Web Author
- ↳ Feature Request
- ↳ Common Problems
- Oxygen Content Fusion
- ↳ Feature Request
- ↳ Common Problems
- Oxygen JSON Editor
- ↳ Feature Request
- ↳ Common Problems
- Oxygen PDF Chemistry
- ↳ Feature Request
- ↳ Common Problems
- Oxygen Feedback
- ↳ Feature Request
- ↳ Common Problems
- Oxygen XML WebHelp
- ↳ Feature Request
- ↳ Common Problems
- XML
- ↳ General XML Questions
- ↳ XSLT and FOP
- ↳ XML Schemas
- ↳ XQuery
- NVDL
- ↳ General NVDL Issues
- ↳ oNVDL Related Issues
- XML Services Market
- ↳ Offer a Service