CVE-2021-44228 in log4j2

Question

CVE-2021-44228 in log4j2

sopgreg opened this issue 3 years ago · 2 comments

It seems like HB2B is affected by

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

log4j2 needs to be upgraded to >= 2.15.0 or a workaround must be applied to startServer.bat/startServer.sh to set the property log4j2.formatMsgNoLookups (in case no log lookups are required)

regards

Answer 1 · 2021-12-13T11:42:17.000Z

Indeed, the problems with Log4J affect Holodeck B2B too. In the new release we will upgrade to the latest version. For now, the fastest way to fix this issue is to upgrade the Log4J jars in Holodeck-B2B/lib to the latest version manually.

Answer 2 · 2021-12-13T23:29:14.000Z

Fixed in versions 5.3.1