Zero day log4j — How to upgrade log4j in Nuxeo from your custom marketplace package
An exploit for a critical zero-day vulnerability affecting Apache Log4j2 was disclosed on December 9, 2021. All versions of Log4j2 versions >= 2.0-beta9 and <= 2.14.1 are affected by this vulnerability. This is fixed in version 2.15.0.
You can check the version you have on your Nuxeo server with the following:
ls $NUXEO_SERVER/lib | grep log4j
mariana@OCPSE-MCEDICA nuxeo-server-tomcat-2021.1.19 $ ls lib/ | grep log4j log4j-api-2.13.3.jar log4j-core-2.13.3.jar log4j-jcl-2.13.3.jar log4j-slf4j-impl-2.13.3.jar