Author |
Message |
|
|
ShackyPoh
Joined: Jan 13, 2014
Messages: 23
Offline
|
Hi All,
Any tips on how we can go about using the latest version for log4j? It seems that the log4j version from the runtime support files is outdated and recently, there is this high security risk for log4j 2.
I would like to deploy log4j 2.15.0.jar but i am getting error after removing log4j 1.2.15.jar in tomcat lib folder.
|
|
|
|
|
WilsonYu
Joined: Nov 6, 2013
Messages: 3950
Offline
|
OD 8.1.1 will upgrade to log4j 1.2.16. It is going to be GA next week.
|
|
|
|
|
ShackyPoh
Joined: Jan 13, 2014
Messages: 23
Offline
|
Hi Wilson,
If i am not wrong, log4j 1.2.16 is still vulnerable to 3 CVE's (the same applies to log4j 1.2.17)
Log4j 1.2.x is also End-Of-Life.
Referencing: https://snyk.io/vuln/maven:log4j%3Alog4j
|
|
|
|
|
WilsonYu
Joined: Nov 6, 2013
Messages: 3950
Offline
|
Actually I meant Log4j2 2.16
|
|
|
|
|
ShackyPoh
Joined: Jan 13, 2014
Messages: 23
Offline
|
Hi Wilson, does that mean we can just update log4j to the latest (log4j 2.15.0) without issues?
The version you have mentioned is also affected by the CVE.
|
|
|
|
|
WilsonYu
Joined: Nov 6, 2013
Messages: 3950
Offline
|
I mentioned "Log4j2 2.16" in my last message. It is the newest release for log4j version 2.
https://logging.apache.org/log4j/2.x/
You can not do any manual upgrade. OD 8.1.1 will support log4j 2.16.0, GA next week.
|
|
|
|
|
ShackyPoh
Joined: Jan 13, 2014
Messages: 23
Offline
|
Hi Wilson, now i understand. i suppose all applications using older Orchestration versions will need to be redeployed and updated using AAOD 8.1.1 in order to fix the log4j issue. Thanks for the information.
|
|
|
|
|
ShackyPoh
Joined: Jan 13, 2014
Messages: 23
Offline
|
Hmm... it doesnt seem like there is a new release for Orchestration Designer (8.1.1) yet
|
|
|
|
|
WilsonYu
Joined: Nov 6, 2013
Messages: 3950
Offline
|
The release has been put on hold since we are getting new updates from log4j2
|
|
|
|
|
ShackyPoh
Joined: Jan 13, 2014
Messages: 23
Offline
|
Hi Wilson, any ETA for this?
|
|
|
|
|
WilsonYu
Joined: Nov 6, 2013
Messages: 3950
Offline
|
We don't have one yet.
|
|
|
|
|
deepak.garg.cinbell.com
Joined: Apr 19, 2018
Messages: 18
Offline
|
Hi Team,
Any update on this release?
|
|
|
|
|
MatthewKopcienski
Joined: Nov 14, 2013
Messages: 95
Offline
|
So, to get rid of log4jv1 we'll need to upgrade everyone to a yet to be GA OD 8.1.1 which is compatible with
AEP 7.0, 7.1, 7.2, 8.0, 8.1
J2SE 1.8, 1.9, 10.1, 11, 12
Tomcat 7.0,8.0, 8.5, 9.0
Correct?
|
|
|
|
|
WilsonYu
Joined: Nov 6, 2013
Messages: 3950
Offline
|
Yes. We don't have the date for GA yet. It could be any time.
|
|
|
|
|
Deepanyuvaraja
Joined: Oct 14, 2020
Messages: 1
Offline
|
Any tentative dates for the GA release of OD 8.1.1 ?
|
|
|