Zero day log4j — How to upgrade log4j in Nuxeo from your custom marketplace package

An exploit for a critical zero-day vulnerability affecting Apache Log4j2 was disclosed on December 9, 2021. All versions of Log4j2 versions >= 2.0-beta9 and <= 2.14.1 are affected by this vulnerability. This is fixed in version 2.15.0.

You can check the version you have on your Nuxeo server with the following:

ls $NUXEO_SERVER/lib | grep log4j

for example:

mariana@OCPSE-MCEDICA nuxeo-server-tomcat-2021.1.19 $ ls lib/ | grep log4j
log4j-api-2.13.3.jar
log4j-core-2.13.3.jar
log4j-jcl-2.13.3.jar
log4j-slf4j-impl-2.13.3.jar