> On Dec 12, 2021, at 3:16 PM, Shawn McKinney <[email protected]> wrote: > > 1. Use latest release 2.0.7. Released today, it includes the patched log4j2 > v2.15.0 > > If you can’t go to latest…
Clarification: This vulnerability only applies to deployments that use Apache Fortress 2.0.6. We migrated to use Apache Log4j2 just prior to that release, which means ONLY 2.0.6 is impacted. Updated mitigation steps: If you are using Apache Fortress 2.0.6, here are things you can do to prevent the exploit from occurring. 1. Use latest release 2.0.7. Released today, it includes the patched log4j2 v2.15.0. 2. Use Apache Fortress release prior to 2.0.6. If you must use Apache Fortress 2.0.6… 3. Update your pom.xml, to override any previous log4j2 to pull the latest: ``` <dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-core</artifactId> <version>2.15.0</version> </dependency> ``` This will override any transitory dependencies to use this version. Note: Be sure to look at the libs your project pulls back during the build to verify it’s using v2.15.0. 4. Follow the guidelines laid out by the Apache Log4j project in their release announcement. [[ANNOUNCEMENT] Apache Log4j 2.15.0 Released](http://mail-archives.apache.org/mod_mbox/www-announce/202112.mbox/%3CD88D40C5-8884-470E-8FA3-3B6D6899A7B0%40apache.org%3E) — Shawn --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
