Google Git
Sign in
apache / ofbiz-framework / bccf14066cb2ca6fc5861eb457d06a2d0429d00b^! / .
commitbccf14066cb2ca6fc5861eb457d06a2d0429d00b[log] [tgz]
authorJacques Le Roux <jacques.le.roux@les7arts.com>Sat Dec 11 17:37:33 2021 +0100
committerJacques Le Roux <jacques.le.roux@les7arts.com>Sat Dec 11 17:37:33 2021 +0100
tree3f4feabac31bd7c3bd2665668509fd7cabb7cbdd
parent14f7feda74dc8f28988dc1070865c049ec6c2e06 [diff]
Fixed: [SECURITY] CVE-2021-44228: Apache Log4j2 (OFBIZ-12449)

CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker
controlled LDAP and other JNDI related endpoints:
https://logging.apache.org/log4j/2.x/security.html

I'm not sure we are concerned, have no time to check, better safe than sorry...

diff --git a/build.gradle b/build.gradle
index c58c300..00d11bf 100644
--- a/build.gradle
+++ b/build.gradle

@@ -190,7 +190,7 @@
     compile 'org.apache.geronimo.components:geronimo-transaction:3.1.4'
     compile 'org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1'
     compile 'org.apache.httpcomponents:httpclient-cache:4.5.6'
-    compile 'org.apache.logging.log4j:log4j-api:2.11.1' // the API of log4j 2
+    compile 'org.apache.logging.log4j:log4j-api:2.15.0' // the API of log4j 2
     compile 'org.apache.poi:poi:3.17'
     compile 'org.apache.pdfbox:pdfbox:2.0.24'
     compile 'org.apache.shiro:shiro-core:1.4.0'
@@ -231,11 +231,11 @@
     runtime 'org.apache.axis2:axis2-transport-local:1.7.8'
     runtime 'org.apache.derby:derby:10.14.2.0'
     runtime 'org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec:1.1'
-    runtime 'org.apache.logging.log4j:log4j-1.2-api:2.11.1' // for external jars using the old log4j1.2: routes logging to log4j 2
-    runtime 'org.apache.logging.log4j:log4j-core:2.11.1' // the implementation of the log4j 2 API
-    runtime 'org.apache.logging.log4j:log4j-jul:2.11.1' // for external jars using the java.util.logging: routes logging to log4j 2
-    runtime 'org.apache.logging.log4j:log4j-slf4j-impl:2.11.1' // for external jars using slf4j: routes logging to log4j 2
-    runtime 'org.apache.logging.log4j:log4j-jcl:2.11.1' // need to constrain to version to avoid classpath conflict (ReflectionUtil)
+    runtime 'org.apache.logging.log4j:log4j-1.2-api:2.15.0' // for external jars using the old log4j1.2: routes logging to log4j 2
+    runtime 'org.apache.logging.log4j:log4j-core:2.15.0' // the implementation of the log4j 2 API
+    runtime 'org.apache.logging.log4j:log4j-jul:2.15.0' // for external jars using the java.util.logging: routes logging to log4j 2
+    runtime 'org.apache.logging.log4j:log4j-slf4j-impl:2.15.0' // for external jars using slf4j: routes logging to log4j 2
+    runtime 'org.apache.logging.log4j:log4j-jcl:2.15.0' // need to constrain to version to avoid classpath conflict (ReflectionUtil)
     runtime 'org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380'
 
     // plugin libs