Hi, can you help me to find witch version of log4j is used in alfresco-content-services-community-distribution-6.1.2-ga (201901).
I found only this information:
<plugin> <artifactId>maven-dependency-plugin</artifactId> <executions> <!-- CLOUD-1967 Put core log4j config in WEB-INF/classes, so that it's first in classloader --> <execution> <id>fetch-log4j-config</id> <phase>prepare-package</phase> <goals> <goal>unpack</goal> </goals> <configuration> <artifactItems> <artifactItem> <groupId>org.alfresco</groupId> <artifactId>alfresco-core</artifactId> </artifactItem> </artifactItems> <includes>log*.properties</includes> <outputDirectory>${project.build.outputDirectory}</outputDirectory> </configuration> </execution> </executions> </plugin>
Where is used version of log4j?
Thanks
log4j-1.2.17.jar
As you indicate that Alfresco makes use of the log4j version 1.2.17 library, I have seen that it also has a vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2019-17571
Should any corrective be applied to Alfresco based on this?
If you are using SocketApppender (not provided by default in Alfresco configuration), then you need to upgrade the Log4j library.
The attack is weaker compared to Log4j version 2.x. To verify if you are using this appender, double check your log4j configuration files for presence of org.apache.log4j.net.JMSAppender class.
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.