Author Message
ShackyPoh
Joined: Jan 13, 2014
Messages: 15
Offline
Hi All,

Any tips on how we can go about using the latest version for log4j? It seems that the log4j version from the runtime support files is outdated and recently, there is this high security risk for log4j 2.

I would like to deploy log4j 2.15.0.jar but i am getting error after removing log4j 1.2.15.jar in tomcat lib folder.
WilsonYu
Joined: Nov 6, 2013
Messages: 3937
Offline
OD 8.1.1 will upgrade to log4j 1.2.16. It is going to be GA next week.
ShackyPoh
Joined: Jan 13, 2014
Messages: 15
Offline
Hi Wilson,

If i am not wrong, log4j 1.2.16 is still vulnerable to 3 CVE's (the same applies to log4j 1.2.17)

Log4j 1.2.x is also End-Of-Life.

Referencing: https://snyk.io/vuln/maven:log4j%3Alog4j
WilsonYu
Joined: Nov 6, 2013
Messages: 3937
Offline
Actually I meant Log4j2 2.16
ShackyPoh
Joined: Jan 13, 2014
Messages: 15
Offline
Hi Wilson, does that mean we can just update log4j to the latest (log4j 2.15.0) without issues?
The version you have mentioned is also affected by the CVE.
WilsonYu
Joined: Nov 6, 2013
Messages: 3937
Offline
I mentioned "Log4j2 2.16" in my last message. It is the newest release for log4j version 2.

https://logging.apache.org/log4j/2.x/

You can not do any manual upgrade. OD 8.1.1 will support log4j 2.16.0, GA next week.
ShackyPoh
Joined: Jan 13, 2014
Messages: 15
Offline
Hi Wilson, now i understand. i suppose all applications using older Orchestration versions will need to be redeployed and updated using AAOD 8.1.1 in order to fix the log4j issue. Thanks for the information.
ShackyPoh
Joined: Jan 13, 2014
Messages: 15
Offline
Hmm... it doesnt seem like there is a new release for Orchestration Designer (8.1.1) yet
WilsonYu
Joined: Nov 6, 2013
Messages: 3937
Offline
The release has been put on hold since we are getting new updates from log4j2
ShackyPoh
Joined: Jan 13, 2014
Messages: 15
Offline
Hi Wilson, any ETA for this?
WilsonYu
Joined: Nov 6, 2013
Messages: 3937
Offline
We don't have one yet.
deepak.garg.cinbell.com
Joined: Apr 19, 2018
Messages: 11
Offline
Hi Team,
Any update on this release?
MatthewKopcienski
Joined: Nov 14, 2013
Messages: 83
Offline
So, to get rid of log4jv1 we'll need to upgrade everyone to a yet to be GA OD 8.1.1 which is compatible with
AEP 7.0, 7.1, 7.2, 8.0, 8.1
J2SE 1.8, 1.9, 10.1, 11, 12
Tomcat 7.0,8.0, 8.5, 9.0
Correct?
WilsonYu
Joined: Nov 6, 2013
Messages: 3937
Offline
Yes. We don't have the date for GA yet. It could be any time.
Deepanyuvaraja
Joined: Oct 14, 2020
Messages: 1
Offline
Any tentative dates for the GA release of OD 8.1.1 ?
Go to:   
Mobile view