Log4Shell vulnerability fix instructions
Posted: Fri Dec 17, 2021 5:15 pm
Hi,
we were notified about the latest Apache Log4j 2 critical vulnerability.
The fix instructions are provided here https://www.oxygenxml.com/security/advi ... mitigation and here https://blog.oxygenxml.com/topics/oxyge ... s_faq.html.
However, I would kindly ask you to verify if the following process is correct for our particular case.
(We are using <oXygen/> XML Editor 20.1 (on my computer, build 2020010914) on Windows 10)
- Delete the JndiLookup class from those JAR files. Please, provide an alternative command for windows. [/list]
Note: By scanning my system for log4j JAR files with
I found
c:\eXist-db\lib\log4j-core-2.14.1.jar
c:\Program Files\Oxygen XML Editor 20\lib\xproc\calabash\lib\log4j-core-2.1.jar
c:\Users\*\AppData\Roaming\com.oxygenxml\eXistdb\localhost_8080\log4j-core-2.11.0.jar
c:\Users\*\AppData\Roaming\com.oxygenxml\eXistdb\localhost_8080\log4j-core-2.14.1.jar
we were notified about the latest Apache Log4j 2 critical vulnerability.
The fix instructions are provided here https://www.oxygenxml.com/security/advi ... mitigation and here https://blog.oxygenxml.com/topics/oxyge ... s_faq.html.
However, I would kindly ask you to verify if the following process is correct for our particular case.
(We are using <oXygen/> XML Editor 20.1 (on my computer, build 2020010914) on Windows 10)
- Remove JndiLookup class from the classpath
- Delete the JndiLookup class from those JAR files. Please, provide an alternative command for windows. [/list]
Note: By scanning my system for log4j JAR files with
Code: Select all
where /r c:\ log4j-core-*.jarc:\eXist-db\lib\log4j-core-2.14.1.jar
c:\Program Files\Oxygen XML Editor 20\lib\xproc\calabash\lib\log4j-core-2.1.jar
c:\Users\*\AppData\Roaming\com.oxygenxml\eXistdb\localhost_8080\log4j-core-2.11.0.jar
c:\Users\*\AppData\Roaming\com.oxygenxml\eXistdb\localhost_8080\log4j-core-2.14.1.jar
- Set the environment variable
Code: Select all
LOG4J_FORMAT_MSG_NO_LOOKUPS="true"