Please update log4j2 dependencies to log4j 2.16

It is not enough simply to add -Dlog4j2.formatMsgNoLookups=true. There are 2 problems:

This is needed because version 2.15 is still exploitable in certain non-default configurations, and this moderate-severity oversight has earned its own bug ID: CVE-2021-45046.

That release closed the hole (CVE-2021-44228) by disabling by default the Java library’s primarily exploitable functionality: JNDI message lookups. Now version 2.16 is out, and it disables all JNDI support by default, and removes message lookup handling entirely for good measure, hopefully finally preventing further exploitation.

And thanks for your fast and hard work.

I had put in a GitHub ticket before I realized that the forums are preferred. More detail here: github dot com /codelibs/fess/issues/2610

…uh, I guess I can’t post a link to github. So you’ll have to assemble that link yourself. :man_facepalming:

Please see Log4j2 RCE Vulnerability for CVE-2021-44228
We will update it.

Looks like codelibs is now including their own, patched version of log4j core in v13.15.3, so I think we’re in the clear with this new version.

Thanks, @shinsuke !


  • github /codelibs/fess/releases/tag/fess-13.15.3
  • github /codelibs/fess/issues/2611
  • github /codelibs/fess/issues/2610