CVE-2021-44228 in log4j2

holodeck-b2b / Holodeck-B2B

Holodeck B2B is an AS4 system-to-system messaging solution that implements the OASIS specifications for ebMS3 and it's AS4 profile. For more information visit the project website

http://holodeck-b2b.org

GNU General Public License v3.0

74 stars 37 forks source link

CVE-2021-44228 in log4j2 #123

Closed sopgreg closed 2 years ago

sopgreg commented 2 years ago

It seems like HB2B is affected by

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

log4j2 needs to be upgraded to >= 2.15.0 or a workaround must be applied to startServer.bat/startServer.sh to set the property log4j2.formatMsgNoLookups (in case no log lookups are required)

regards

RenateS commented 2 years ago

Indeed, the problems with Log4J affect Holodeck B2B too. In the new release we will upgrade to the latest version. For now, the fastest way to fix this issue is to upgrade the Log4J jars in Holodeck-B2B/lib to the latest version manually.

sfieten commented 2 years ago

Fixed in versions 5.3.1