Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-12475

[SECURITY] CVE-2021-44832: Apache Log4j2



    • Sub-task
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 18.12.04
    • 18.12.05
    • None
    • Bug Crush Event - 21/2/2015


      The Apache Log4j 2 team is pleased to announce the Log4j 2.17.1 release!

      Apache Log4j is a well known framework for logging application
      behavior. Log4j 2 is an upgrade to Log4j that provides significant
      improvements over its predecessor, Log4j 1.x, and provides many other
      modern features such as support for Markers, lambda expressions for
      lazy logging, property substitution using Lookups, multiple patterns
      on a PatternLayout and asynchronous Loggers. Another notable Log4j 2
      feature is the ability to be "garbage-free" (avoid allocating
      temporary objects) while logging. In addition, Log4j 2 will not lose
      events while reconfiguring.

      The artifacts may be downloaded from

      This release contains the changes noted below:

      Address CVE-2021-44832.
      Other minor fixes.

      Due to a break in compatibility in the SLF4J binding, Log4j now ships
      with two versions of the SLF4J to Log4j adapters. log4j-slf4j-impl
      should be used with SLF4J 1.7.x and earlier and log4j-slf4j18-impl
      should be used with SLF4J 1.8.x and later. SLF4J-2.0.0 alpha releases
      are not fully supported. See
      https://issues.apache.org/jira/browse/LOG4J2-2975 and

      The Log4j 2.17.1 API, as well as many core components, maintains
      binary compatibility with previous releases.

      GA Release 2.17.1

      Changes in this version include:

      Fixed Bugs

      LOG4J2-3293: JdbcAppender now uses JndiManager to access JNDI
      resources. JNDI is only enabled when system property
      log4j2.enableJndiJdbc is set to true.
      LOG4J2-3290: Remove unused method.
      LOG4J2-3292: ExtendedLoggerWrapper.logMessage no longer double-logs
      when location is requested.
      LOG4J2-3289: log4j-to-slf4j no longer re-interpolates formatted
      message contents.
      LOG4J2-3204: Correct SpringLookup package name in Interpolator. Thanks
      to Francis-FY.
      LOG4J2-3284: log4j-to-slf4j takes the provided MessageFactory into
      account Thanks to Michael Vorburger.
      LOG4J2-3264: Fix MapLookup to lookup MapMessage before DefaultMap
      Thanks to Yanming Zhou.
      LOG4J2-3274: Buffered I/O checked had inverted logic in
      RollingFileAppenderBuidler. Thanks to Faisal Khan Thayub Khan.
      : Fix NPE when input is null in StrSubstitutor.replace(String, Properties).
      LOG4J2-3270: Lookups with no prefix only read values from the
      configuration properties as expected.
      LOG4J2-3256: Reduce ignored package scope of KafkaAppender. Thanks to
      Lee Dongjin.


      Apache Log4j 2.17.1 requires a minimum of Java 8 to build and run.
      Log4j 2.12.1 is the last release to support Java 7. Java 7 is no
      longer supported by the Log4j team.

      For complete information on Apache Log4j 2, including instructions on
      how to submit bug reports, patches, or suggestions for improvement,
      see the Apache Apache Log4j 2 website:


      Matt Sicker
      PMC Member, Logging Services, Apache Software Foundation




            jleroux Jacques Le Roux
            jleroux Jacques Le Roux
            0 Vote for this issue
            2 Start watching this issue