SpaceIQ (Archibus software) has provided a response the recent log4j security concerns for Java and Apache Tomcat. This issue has been updated three times as more information has become available. Below is the most recent "fix" for the issue. If and when additional updates are made available, they will be passed on to our clients. We are available to assist with these fixes as needed.
From SpaceIQ
Log4j 2.x affects Web Central 25.2 or newer. If you are using an older version of Archibus Web Central, this vulnerability is not of concern. While it's true that Log4j 1.x has it's own issues, it's not possible to simply swap the jars because the package name, classes and methods have changed between the two major versions: org.apache.log4j.Logger.getLogger (1.x)
vs org.apache.logging.log4j.LogManager.getLogger (2.x)
. This means that, in order to patch older versions, one would need to modify 300+ java files (both core and application) and then test the whole product to see that it still works.
For versions 25.2 and newer, it is highly recommended to update the following jar files from under \archibus\WEB-INF\lib\: log4j-api-2.13.3.jar, log4j-core-2.13.3.jar, log4j-slf4j-impl-2.13.3.jar.
You can download the latest jar files from here:
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.0/log4j-core-2.17.0.jar
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.0/log4j-api-2.17.0.jar
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j-impl/2.17.0/log4j-slf4j-impl-2.17.0.jar
About the Author
Follow on Linkedin More Content by Fulton Hartzog