Hello, This contains mitigation procedures for a recent critical vulnerability discovered in Apache Log4j core.
If you are using Apache Fortress here are things you can do to prevent the exploit from occurring. 1. Use latest release 2.0.7. Released today, it includes the patched log4j2 v2.15.0 If you can’t go to latest... 2. Update your pom.xml, to override any previous log4j2 to pull the latest: ``` <dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-core</artifactId> <version>2.15.0</version> </dependency> ``` This will override any transitory dependencies to use this version. Note: Be sure to look at the libs your project pulls back during the build to verify it’s using v2.15.0. 3. Follow the guidelines laid out by the Apache Log4j project in their release announcement. [[ANNOUNCEMENT] Apache Log4j 2.15.0 Released](http://mail-archives.apache.org/mod_mbox/www-announce/202112.mbox/%3CD88D40C5-8884-470E-8FA3-3B6D6899A7B0%40apache.org%3E) *** That’s about it. While this is a critical vulnerability, it’s entirely preventable by completing one of these steps. You may contact me privately if concerned about leaking security details about your deployments, or reply on this mailing list with questions. — Shawn --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
