CVE-2021-44228 in log4j2

Question

CVE-2021-44228 in log4j2

sopgreg opened this issue 3 years ago · comments

It seems like HB2B is affected by

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

log4j2 needs to be upgraded to >= 2.15.0 or a workaround must be applied to startServer.bat/startServer.sh to set the property log4j2.formatMsgNoLookups (in case no log lookups are required)

regards

Renate Slebe · Answer 1 · Mon Dec 13 2021 19:42:17 GMT+0800 (China Standard Time)

Indeed, the problems with Log4J affect Holodeck B2B too. In the new release we will upgrade to the latest version. For now, the fastest way to fix this issue is to upgrade the Log4J jars in Holodeck-B2B/lib to the latest version manually.

Sander Fieten · Answer 2 · Tue Dec 14 2021 07:29:14 GMT+0800 (China Standard Time)

Fixed in versions 5.3.1