-
Type:
Task
-
Status: Resolved
-
Priority:
Blocker
-
Resolution: Fixed
-
Affects Version/s: 10.10-HF55, 2021.12
-
Fix Version/s: 10.10-HF56, 2021.13
-
Component/s: Security
-
Release Notes Summary:Upgrade Apache log4j to 2.15.0
-
Tags:
-
Team:PLATFORM
-
Sprint:nxplatform #50
There is a 0 day on log4j that impacts the version 2.13.3 embedded in Nuxeo (10.10 and 2021) https://www.lunasec.io/docs/blog/log4j-zero-day/
We should be protected against the LDAP vector as long as we have a JDK > 11.0.1 and 8u191
However, there might be other unidentified vectors/exploits.
Log4j 2.15.0 release basically sets the "log4j2.formatMsgNoLookups" option to true in order to block attacks.
The "-Dlog4j2.formatMsgNoLookups=true" can be added to the JVM command to immediately mitigate the issue on a given deployment. In nuxeo.conf:
JAVA_OPTS=$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true
- is related to
-
NXP-30764 Upgrade Apache log4j to 2.16.0
-
- Resolved
-
- Is referenced in
(1 Is referenced in)
