A major vulnerability – named Log4Shell – has been discovered in the Apache log4J logging library.
As of this weekend, all branches of Simplicité version 5 have been updated with the latest Log4J library available at the time (2.15.0), which solved the critical vulnerability mentioned above.
Today, the Apache Foundation has released a new version of Log4J 2.x (version 2.16.0) to permanently fix this vulnerability (see their latest release note: Log4j – Changes 1)
This new version has been updated on all affected branches of the Simplicité platform. For the current branch, this corresponds to revision 5.1.17. See our release note: Simplicité® 5/releasenote/releasenote-5.1 or our forum topic.
You should therefore upgrade your instances as soon as possible to this latest revision.
We also hope that this will be the final fix for this Log4J vulnerability…
[UPDATE – 2021-12-20]
The Apache foundation has just released a new version of Log4J 2.x (version 2.17.0). See their release note: Log4j – Changes 1
This new Log4J2 version has been upgraded on all concerned branches of the Simplicité platform. For the current release branch this corresponds to the 5.1.19 revision. See our release note: Simplicité® 5/releasenote/releasenote-5.1.
You should thus upgrade again your instances as soon as possible on this latest revision. We also hope – again – this will actually be the final fix of these Log4J vulnerabilities…
Note: This vulnerability does not affect Simplicité 4.0, as it did not use Log4J 2.x, but Log4J 1.x. However, the Apache Foundation indicates that Log4J 1.x JMS and JNDI-based appenders may also be potentially vulnerable.
The default Log4J configuration that comes with Simplicité uses only basic appenders (console and file), so if you have not customised this configuration there is no risk, otherwise make sure you disable any vulnerable appenders you may have added.