[oXygen-user] [ann] Security maintenance builds in response to the Log4j vulnerability

Oxygen XML Editor Support (Radu Coravu) support at oxygenxml.com
Fri Dec 17 09:52:50 CST 2021 

Hi Lisa,


Right now we have on our web site new installation kits fixing the 
security problem for Oxygen 24.0, 23.1 and we'll soon have the same for 
Oxygen 22.1.


For older Oxygen versions there was only one component in Oxygen uses 
the Log4j 2.x libraries, the Calabash XProc engine located in 
"OXYGEN_INSTALL_DIR\lib\xproc\calabash". If you are not using Oxygen to 
edit XProc files you can remove that "calabash" folder completely.


Or you can try to use this small free utility we provide to update all 
Log4.j 2.x libraries in your Oxygen installation:

https://github.com/oxygenxml/oxygen-log4j-patcher


Regards,

Radu

Radu Coravu
Oxygen XML Editor


On 12/17/21 16:14, McAulay, Lisa wrote:
> Hi George and Oxygen Users,
>
> I apologize for bothering you at this time, but I'm trying to 
> determine my risk with Oxygen XML 21.1, build 2019120214. I see it 
> lists log4j 1.2.17, which I think isn't affected by this log4j 
> problem. I'm hoping so!
>
>
> Best regards,
> Elizabeth
>
>
>
> *Elizabeth McAulay
> Head of the Digital Library Program*
> emcaulay /at/ library.ucla.edu
> https://digital.library.ucla.edu/
>
> UCLA Library Logo <https://www.library.ucla.edu/>
>
> UCLA acknowledges the Gabrielino/Tongva peoples as the traditional 
> land caretakers of Tovaangar (the Los Angeles basin and So. Channel 
> Islands). As a land grant institution, we pay our respects to the 
> Honuukvetam (Ancestors), ‘Ahiihirom (Elders) and ‘Eyoohiinkem (our 
> relatives/relations) past, present and emerging.
>
>
>
> ------------------------------------------------------------------------
> *From:* oXygen-user <oxygen-user-bounces at oxygenxml.com> on behalf of 
> George Bina <george at oxygenxml.com>
> *Sent:* Friday, December 17, 2021 5:35 AM
> *To:* oXygen User ML <oxygen-user at oxygenxml.com>
> *Subject:* [oXygen-user] [ann] Security maintenance builds in response 
> to the Log4j vulnerability
> Hi all,
>
> We made available maintenance builds for many of our products to provide
> a fix for the recent security vulnerabilities related to the Apache
> Log4j library. These builds cover the latest versions of our products as
> well as older versions.
>
> The corresponding security advisory is updated with the latest
> information about these issue, you can it at:
> https://www.oxygenxml.com/security/advisory/CVE-2021-44228.html
>
> The new maintenance builds that we made available up to this point are
> listed below:
>
> Oxygen XML Editor
> ==========================================
>
> Oxygen XML Editor 24.0 build 2021121518
> https://www.oxygenxml.com/xml_editor/download_oxygenxml_editor.html
>
> Oxygen XML Editor 23.1 build 2021121415
> https://www.oxygenxml.com/xml_editor/software_archive_editor.html
>
> Oxygen XML Author
> ==========================================
>
> Oxygen XML Author 24.0 build 2021121518
> https://www.oxygenxml.com/xml_author/download_oxygenxml_author.html
>
> Oxygen XML Author 23.1 build 2021121415
> https://www.oxygenxml.com/xml_author/software_archive_author.html
>
> Oxygen XML Developer
> ==========================================
>
> Oxygen XML Developer 24.0 build 2021121518
> https://www.oxygenxml.com/xml_developer/download_oxygenxml_developer.html
>
> Oxygen XML Developer 23.1 build 2021121317
> https://www.oxygenxml.com/xml_developer/software_archive_developer.html
>
> Oxygen XML Web Author
> ==========================================
>
> Oxygen XML Web Author 24.0.0 build 2021121314
> https://www.oxygenxml.com/xml_web_author/download_oxygenxml_web_author.html
>
> XML Web Author 23.1.1.2 build 2021121408
> https://www.oxygenxml.com/xml_web_author/software_archive_web_author.html
>
> Oxygen XML Web Author 22.1.0.4 build 2021121415
> https://www.oxygenxml.com/xml_web_author/software_archive_web_author.html
>
> Oxygen Content Fusion
> ==========================================
>
> Oxygen Content Fusion 4.1.4 build 2021121611
> https://www.oxygenxml.com/content_fusion/download.html
>
> Oxygen Content Fusion 3.0.1 build 2021121414
> https://www.oxygenxml.com/content_fusion/software_archive_content_fusion.html
>
> Oxygen Content Fusion 2.0.3 build 2021121417
> https://www.oxygenxml.com/content_fusion/software_archive_content_fusion.html
>
> Oxygen Feedback
> ==========================================
>
> Oxygen Feedback Enterprise 1.4.5 build 2021121314
> https://www.oxygenxml.com/oxygen_feedback_enterprise/download.html
>
> Oxygen Publishing Engine
> ==========================================
>
> Oxygen Publishing Engine 24.0 build 2021121611
> https://www.oxygenxml.com/publishing_engine/download.html
>
> Oxygen Publishing Engine 23.1 build 2021121413
> https://www.oxygenxml.com/publishing_engine/software_archive_publishing_engine.html
>
> Oxygen XML WebHelp
> ==========================================
>
> Oxygen XML WebHelp 24.0 build 2021121511
> https://www.oxygenxml.com/xml_webhelp/download_oxygenxml_webhelp.html
>
> Oxygen XML WebHelp 23.1 build 2021121412
> https://www.oxygenxml.com/xml_webhelp/software_archive_webhelp.html
>
> Oxygen PDF Chemistry
> ==========================================
>
> Oxygen PDF Chemistry 24.0 build 2021121611
> https://www.oxygenxml.com/pdf_chemistry/download.html
>
> Oxygen PDF Chemistry 23.1 build 2021121413
> https://www.oxygenxml.com/pdf_chemistry/software_archive_chemistry.html
>
> Oxygen License Server
> ==========================================
>
> Oxygen License Server 24.0 build 2021121311
> https://www.oxygenxml.com/license_server/download.html
>
> ==========================================
>
> The Oxygen SDK and some of the plugins that we make available that
> contain the log4j library were also updated:
>
> Oxygen SDK
> ==========================================
>
> Oxygen SDK for version 24 is updated to version 24.0.0.2
> Oxygen SDK for version 23 is updated to version 23.1.0.4
> Oxygen SDK for version 22 is updated to version 22.1.0.6
>
> Please update your dependencies to our SDK to point to the corresponding
> fix version of the SDK.
>
> Web Author PDF Plugin
> ==========================================
>
> Web Author PDF Plugin 24.0.0.1
> https://www.oxygenxml.com/maven/com/oxygenxml/web-author-publishing-plugin/24.0.0.1
>
>
> Web Author PDF Plugin 23.1.1.2
> https://www.oxygenxml.com/maven/com/oxygenxml/web-author-publishing-plugin/23.1.1.2
>
> Oxygen XML Editor/Author/Developer plugins
> ==========================================
>
> Please use the "Help->Manage Add-ons..." action to uninstall previous
> versions and make sure you installed the latest version of the following
> add-ons:
>
> Oxygen Web Author Test Server Add-on should be updated to version
> 22.1.1, 23.1.2 or 24.0.1
>
> XSD to JSON Schema Converter should be updated to version 23.1.1 or 24.0.1
>
> Git Client should be update to version 3.0.1
>
> Batch Documents Converter should be updated to version 3.2.1
>
> ==========================================
>
> We are still working to provide maintenance builds for more of the older
> versions as well as tools to help automating the mitigation steps.
>
> Best Regards,
> George
> --
> George Cristian Bina
> <oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger
> http://www.oxygenxml.com
>
> _______________________________________________
> oXygen-user mailing list
> oXygen-user at oxygenxml.com
> https://www.oxygenxml.com/mailman/listinfo/oxygen-user
>
> _______________________________________________
> oXygen-user mailing list
> oXygen-user at oxygenxml.com
> https://www.oxygenxml.com/mailman/listinfo/oxygen-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.oxygenxml.com/pipermail/oxygen-user/attachments/20211217/7bbbc45c/attachment.html>

More information about the oXygen-user mailing list