Skip to main content

Log4J Vulnerability

Due to the Apache Log4J2 Security Vulnerability CVE-2021-44228, Simflofy is urging all users to update the affected jars in their installation.

At the time of writing, the most up-to-date version of the libraries that contain the fix for the vulnerability are log4j-api-2.16.0.jar and log4j-core-2.16.0.jar.

Replacing Compromised Jars

As with all software changes for Simflofy, we encourage you to back up your current installation before making any changes.

  1. Shutdown your Simflofy instance if it's running.

  2. In your installation directory, you will need to locate the affected libraries. These are likely in the tomcat > webapps > simflofy-admin > WEB-INF > lib directory or the tomcat > webapps > tsearch > WEB-INF > lib directory. The names of the affected libraries are: log4j-core-2.xx.x.jar and log4j-api-2.xx.x.jar, the xx is a number below 15 since version 2.15.0 was the first released version that contained the fix for this vulnerability.

warning

There are other libraries with names similar to these two libraries. Be sure that you are only replacing the above two libraries.

  1. Delete the affected jars.

  2. Move the new jars (log4j-api-2.16.0.jar and log4j-core-2.16.0.jar) into the lib directory (both lib directories if using tsearch).

  3. Start your Simflofy instance.