Log4j 2.x vulnerability - UPDATED

david · December 13, 2021, 10:08am

All branches of Simplicité version 5 have been upgraded with the latest Log4J 2.x lib (2.15.0) that solves the following critical vulnerability CVE - CVE-2021-44228

You should upgrade your instances to revision 5.1.16 or more recent as soon as possible.

Note that Simplicité version 4.0 (and legacy older versions) is not impacted by this vulnerability as it does not use Log4J 2.x

david · December 14, 2021, 11:37am

[UPDATE]

The Apache foundation has just released a new version of Log4J 2.x (version 2.16.0) in order to definitly fix the vulnerability. See their latest release note: https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0

This new Log4J2 version has been upgraded on all concerned branches of the Simplicité platform. For the current release branch this corresponds to the 5.1.17 revision. See our release note: https://docs.simplicite.io/5/releasenote/releasenote-5.1.md#version-5.1.17

You should thus upgrade again your instances as soon as possible on this latest revision. We also hope this will actually be the final fix of this Log4J vulnerability…

Note: Apache foundation has reported a potential vulnerability on Log4J 1.x versions but limited to the barely used JMS and JNDI-based appenders. Log4J 1.x is used in Simplicité long term maintenance 4.0 and older non maintained versions. If you have not customised the default logging configuration to add such JMS or JNDI-based appenders, you are not impacted by this potential vulnerability as this default configuration only involves basic console and file appenders.

david · December 20, 2021, 1:21pm

[UPDATE - 2021-12-20]

The Apache foundation has just released a new version of Log4J 2.x (version 2.17.0). See their release note: Log4j – Changes

This new Log4J2 version has been upgraded on all concerned branches of the Simplicité platform. For the current release branch this corresponds to the 5.1.19 revision. See our release note: Simplicité® 5/releasenote/releasenote-5.1.

You should thus upgrade again your instances as soon as possible on this latest revision. We also hope - again - this will actually be the final fix of these Log4J vulnerabilities…

david · December 29, 2021, 2:07pm

[UPDATE - 2021-12-29]

The Apache foundation has just released a new version of Log4J 2.x (version 2.17.1). See their release note: Log4j – Changes

This new Log4J2 version has been upgraded on all concerned branches of the Simplicité platform. For the current release branch this corresponds to the 5.1.22 revision. See our release note: Simplicité® 5/releasenote/releasenote-5.1.

You should thus upgrade again your instances as soon as possible on this latest revision.