Hybris SAP Commerce Cloud - Log4j Vulnerability Solution
The Log4j vulnerability is the most high-profile security vulnerability on the internet right now and comes with a severity score of 10 out of 10. I hope by now you are already aware of Log4j Vulnerability (CVE-2021-44228). Hence, In this article, I'll not cover more about what log4j vulnerability is.
Now let's talk about what is the quick solution or precautionary measures for the SAP Commerce Hybris.
If your Hybris solution is on-premise or with SAP Infrastructure (CCV1) then you should take preventive measures either removing JNDI classes from existing log4j-core-*.jar or upgrading all log4j libs. As of now, let's go with the first option which looks like a quick and easy fix to me.
1) Create /hybris/config/customize/platform/ext/core/lib folder structure in your project
2) Copy /hybris/bin/platform/ext/core/lib/log4j-core-.jar* file to /hybris/config/customize/platform/ext/core/lib
3) Go to /hybris/config/customize/platform/ext/core/lib and execute below two commands which exclude Jndi classes.
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/net/JndiManager.class
4) Your lib is ready to use. You can commit this jar to the code repository (Git)
5) Make sure to execute the below command during the hybris build process in all the environments. This will override the Hybris OOTB log4j-core-*.jar
ant customize
thanks
ReplyDelete