--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to uportal-dev...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/CAJ_1GkS5SazWNGN9PYxbqj%3DVhtVaZ0bdfRLLnFdire%3D_TNf%3D2Q%40mail.gmail.com.
Hey folks,
Here is the latest for you that have custom code that has log4j2 “core” as a dependency. (Again, neither Log4j v1 nor Log4j2 API jars have this vulnerability.)
How to check: search Tomcat webapps/ for “log4j-core-2*.jar”. If found, note the version. This is important.
Latest details on addressing:
- Upgrading Java does not necessarily help, and should not be viewed as a risk mitigation strategy
- Log4j-core 2.x - 2.9 is vulnerable to the RCE, and there is no known workaround. Users should stop using the code and/or upgrade immediately
- Log4j-core 2.10 - 2.14 is vulnerable to the RCE, but can be mitigated by invoking the Java process with -Dlog4j2.formatMsgNoLookups=true , or setting the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true (would still require an app restart)
- Log4j-core 2.15 (might be earlier as well) has a DOS risk, but the RCE is resolved.
- We recommend upgrading to Log4j 2.16 (core and api) to resolve the RCE and DOS
- This RCE affects noted versions of log4j-core. There is no known RCE risk for log4j-api.
Please reach out to the community if you need assistance! That's what we are here for -- helping each other. If you are a Unicon OSS uPortal subscriber feel free to open a ZenDesk ticket.
Best,
-bjagg