Fixed: [SECURITY] CVE-2021-45105: Apache Log4j2 (OFBIZ-12470)
The configuration seems to have changed.
log4j-slf4j18-impl available in Maven as 2.16.0 is not in 2.17.0.
Also log4j-web is now needed. In R18 as compile when in trunk as readonly...
I was guided by this block in console.log of trunk demo:
Caused by: java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/util/SetUtils
at org.apache.logging.log4j.web.Log4jWebInitializerImpl.getConfigURI(Log4jWebInitializerImpl.java:196)
at org.apache.logging.log4j.web.Log4jWebInitializerImpl.initializeNonJndi(Log4jWebInitializerImpl.java:175)
at org.apache.logging.log4j.web.Log4jWebInitializerImpl.start(Log4jWebInitializerImpl.java:112)
at org.apache.logging.log4j.web.Log4jServletContainerInitializer.onStartup(Log4jServletContainerInitializer.java:57)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5219)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
I'll dbl-check why, notably about log4j-slf4j18-impl.
At least it works well like that.
1 file changed
