log4j JMSAppender CVE-2021-4104
39 views
Skip to first unread message
rent...@gmail.com
Dec 17, 2021, 5:57:00 AM12/17/21
to DSpace Technical Support
Hi everyone
We've just been alerted to another CVE not mentioned in Tim's post:
This one seems to affect log4j v1.2- and certainly in our dspace/config/log4j.properties (v 6.4) I see ample reference to "appender" (see below). I'm wondering if action is necessary for this one.
Cheers again
Scott
Scott
# The name of the file appender
log4j.appender.A3=org.dspace.app.util.DailyFileAppender
# The filename of the log file created. A date stamp is appended to this
log4j.appender.A3.File=${log.dir}/cocoon.log
# Set this to yyyy-MM-DD for daily log files, or yyyy-MM for monthly files
log4j.appender.A3.DatePattern=yyyy-MM-dd
# The number of log files to keep, or 0 to keep them all
log4j.appender.A3.MaxLogs=14
# A2 uses PatternLayout.
log4j.appender.A3.layout=org.apache.log4j.PatternLayout
log4j.appender.A3.layout.ConversionPattern=%d %-5p %c %x - %m%n
log4j.appender.A3=org.dspace.app.util.DailyFileAppender
# The filename of the log file created. A date stamp is appended to this
log4j.appender.A3.File=${log.dir}/cocoon.log
# Set this to yyyy-MM-DD for daily log files, or yyyy-MM for monthly files
log4j.appender.A3.DatePattern=yyyy-MM-dd
# The number of log files to keep, or 0 to keep them all
log4j.appender.A3.MaxLogs=14
# A2 uses PatternLayout.
log4j.appender.A3.layout=org.apache.log4j.PatternLayout
log4j.appender.A3.layout.ConversionPattern=%d %-5p %c %x - %m%n
rent...@gmail.com
Dec 17, 2021, 6:22:22 AM12/17/21
to DSpace Technical Support
Hi folks,
I realise that was premature- I assume the fact that we're using DailyFileAppender means we are not vulnerable to JMSAppender vulnerabilities!
Cheers
Scott
Reply all
Reply to author
Forward
0 new messages