Which log4j version in ACS Community 6.1.2ga (201901)?

cancel
Showing results for 
Search instead for 
Did you mean: 
gsardisco
Member II

Which log4j version in ACS Community 6.1.2ga (201901)?

Hi, can you help me to find witch version of log4j is used in alfresco-content-services-community-distribution-6.1.2-ga (201901).

I found only this information:

<plugin>
  <artifactId>maven-dependency-plugin</artifactId>
  <executions>
    <!-- CLOUD-1967 Put core log4j config in WEB-INF/classes, so that it's first in classloader -->
    <execution>
      <id>fetch-log4j-config</id>
      <phase>prepare-package</phase>
      <goals>
        <goal>unpack</goal>
      </goals>
      <configuration>
        <artifactItems>
          <artifactItem>
            <groupId>org.alfresco</groupId>
            <artifactId>alfresco-core</artifactId>
          </artifactItem>
        </artifactItems>
        <includes>log*.properties</includes>
        <outputDirectory>${project.build.outputDirectory}</outputDirectory>
      </configuration>
    </execution>
  </executions>
</plugin>

Where is used version of log4j?

Thanks

4 Replies
angelborroy
Alfresco Employee

Re: Which log4j version in ACS Community 6.1.2ga (201901)?

log4j-1.2.17.jar

Hyland Developer Evangelist
loisVillar
Partner

Re: Which log4j version in ACS Community 6.1.2ga (201901)?

As you indicate that Alfresco makes use of the log4j version 1.2.17 library, I have seen that it also has a vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2019-17571

Should any corrective be applied to Alfresco based on this?

angelborroy
Alfresco Employee

Re: Which log4j version in ACS Community 6.1.2ga (201901)?

If you are using SocketApppender (not provided by default in Alfresco configuration), then you need to upgrade the Log4j library.

Hyland Developer Evangelist
Kohler
Member II

Re: Which log4j version in ACS Community 6.1.2ga (201901)?

The attack is weaker compared to Log4j version 2.x. To verify if you are using this appender, double check your log4j configuration files for presence of org.apache.log4j.net.JMSAppender class.