Updating Jar files in ROOT/WEB-INF/lib/
41 views
Skip to first unread message
Braxton Van Gundy
Dec 14, 2021, 4:58:09 PM12/14/21
to DSpace Community
Hello,
We are on Dspace 6.3 and we are trying to update our log4J jar file to the latest 2.16.0 version. Even though the log4j 1.X.X files are not included in the latest vulnerability, we still would like to upgrade it.
We changed out the log4j-1.2.17.jar file in ROOT/WEB-INF/lib/ with the log4j-core-2.16.0.jar file (and restarted the app), however the logs show that the app is still looking for the original log4j-1.2.17.jar file. I thought dspace was configured to look at the contents of the ROOT/WEB-INF/lib/ folder and load the libraries based on that, but it looks like I was wrong. What do I have to do to get dspace to use this new Jar?
Thank you,
Braxton VanGundy
Tim Donohue
Dec 14, 2021, 5:02:28 PM12/14/21
to DSpace Community
Hi Braxton,
It's not possible to get DSpace 6.x or below to use log4j v2 without significant code changes (as log4j v2 is not backwards compatible with log4j v1). The effort to upgrade DSpace 7.x to use log4j v2 required over 1,000 lines of code to be changed, see: https://github.com/DSpace/DSpace/pull/2241 At this point in time, we do not have a way to backport that effort to DSpace 6.x (or below).
It's not possible to get DSpace 6.x or below to use log4j v2 without significant code changes (as log4j v2 is not backwards compatible with log4j v1). The effort to upgrade DSpace 7.x to use log4j v2 required over 1,000 lines of code to be changed, see: https://github.com/DSpace/DSpace/pull/2241 At this point in time, we do not have a way to backport that effort to DSpace 6.x (or below).
Tim
Braxton Van Gundy
Dec 14, 2021, 5:33:14 PM12/14/21
to DSpace Community
Got it, thanks Tim! So it sounds like our only option would be to upgrade to Dspace 7.x if we need to use the new version of Log4j.
Thanks for the quick response to this!
-Braxton VanGundy
Reply all
Reply to author
Forward
0 new messages