Upgrade Log4j version on Sap Hybris Commerce to fix vulnerability

Hybris Logo

1. Overview

Recently, a several vulnerabilities was found in Apache Log4j, an open-source logging library commonly used by Java apps and services across the internet.

The vulnerabilities allow an attacker to perform remote code execution by exploiting the JNDI lookups.

Many enterprise applications written in Java and SAP Hybris/Commerce included are potentially vulnerable to the flaws in Log4j.

SAP Hybris/Commerce comes pre-bundled with the Apache Log4J. The Log4j version delivered with SAP Hybris/Commerce comes as a Jar library located in ${HYBRIS_BIN_DIR}/platform/ext/core/lib/log4j-core-2.9.1.jar

This Jar Library should be upgraded with the last version published by Apache, so how do we replace it ?

2. Update Log4j

To replace the Log4j library we will be using two of the most power features of SAP Hybris :

  • Ant build callback : to remove old libraries
  • Ant customize : to place the new libraries (find more about ant customize here and here)

2.1. Ant build callback

Ant build callback is used to hook into the Ant target’s life cycle, and run a script at any point in time.

So let’s create a macrodef in the build callback of any custom extension, in my case it well be ${HYBRIS_BIN_DIR}/custom/training/buildcallbacks.xml

This macrodef will be triggered before ant customize, to remove old Log4j libraries.

<project name="training_buildcallbacks">

    <!-- Log4j old libraries -->
    <property name="log4j_core_291" value="${HYBRIS_BIN_DIR}/platform/ext/core/lib/log4j-core-2.9.1.jar"/>
    <property name="log4j_api_291" value="${HYBRIS_BIN_DIR}/platform/ext/core/lib/log4j-api-2.9.1.jar"/>
    <property name="log4j_slf4j_impl_291" value="${HYBRIS_BIN_DIR}/platform/ext/core/lib/log4j-slf4j-impl-2.9.1.jar"/>

    <echo message="Start before customize for [training]"/>

    <!-- macrodef will be executed just before ant customize -->
    <macrodef name="_before_customize">
            <!-- check if jars exist and delete them all -->
            <echo message="check if jar exists ${log4j_core_291}"/>
                <available file="${log4j_core_291}"/>
                    <echo message="delete jar [log4j-core-2.9.1.jar]"/>
                    <delete file="${log4j_core_291}"/>

            <echo message="check if jar exists ${log4j_api_291}"/>
                <available file="${log4j_api_291}"/>
                    <echo message="delete jar [log4j-api-2.9.1.jar]"/>
                    <delete file="${log4j_api_291}"/>

            <echo message="check if jar exists ${log4j_slf4j_impl_291}"/>
                <available file="${log4j_slf4j_impl_291}"/>
                    <echo message="delete jar [log4j-slf4j-impl-2.9.1.jar]"/>
                    <delete file="${log4j_slf4j_impl_291}"/>

    <echo message="End before customize for [training]"/>

2.1. Ant customize

After deleting old Jars, we will use ant customize to copy the new ones.

First of all, download new Jars from maven repository, the most recent version published today is v 2.17.1.

Then, copy the new Jars into ${HYBRIS_CONFIG_DIR}/customize/platform/ext/core/lib

And run ant customize command.

$ ant customize


     [echo] Start before customize for [training]
     [echo] End before customize for [training]

     [echo] check if jar exists ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin/platform/ext/core/lib/log4j-core-2.9.1.jar
     [echo] delete jar [log4j-core-2.9.1.jar]
   [delete] Deleting: ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin/platform/ext/core/lib/log4j-core-2.9.1.jar
     [echo] check if jar exists ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin/platform/ext/core/lib/log4j-api-2.9.1.jar
     [echo] delete jar [log4j-api-2.9.1.jar]
   [delete] Deleting: ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin/platform/ext/core/lib/log4j-api-2.9.1.jar
     [echo] check if jar exists ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin/platform/ext/core/lib/log4j-slf4j-impl-2.9.1.jar
     [echo] delete jar [log4j-slf4j-impl-2.9.1.jar]
   [delete] Deleting: ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin/platform/ext/core/lib/log4j-slf4j-impl-2.9.1.jar
     [echo] copy the content from ../projects/stackextend/spartacus-demo/hybris_1905/hybris/config/customize to ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin
     [copy] Copying 4 files to ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin

Total time: 2 seconds


3. Test

To check that the new version of log4j2 has been taken into account, add the following property log4j2.status = DEBUG to your local.properties, and restart Hybris server
If everything goes well, the right version of log4j2 will be displayed in your console log :

jvm 1 | localhost-startStop-1 DEBUG Apache Log4j Core 2.17.1 initializing configuration org.apache.logging.log4j.core.config.properties.PropertiesConfiguration@74103015
jvm 1 | localhost-startStop-1 DEBUG Installed 3 script engines
jvm 1 | localhost-startStop-1 DEBUG BeanShell Engine version: 1.0, language: BeanShell, threading: MULTITHREADED, compile: true, names: [beanshell, bsh, java], factory class: bsh.engine.BshScriptEngineFactory


Happy reading 🙂

4.8 6 votes
Article Rating
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Newest Most Voted
Inline Feedbacks
View all comments
Sureshkumar Chidrapu
Sureshkumar Chidrapu
2 years ago

Hi Team,

Can yopu please suggest how to run ant customize on CCV2 cloud environemnt where I can find only ant Build and deployment options

2 years ago

Hi Mouad EL Fakir,

Thanks for this post. I followed the above steps to fix the log4j vulnerability. But I am getting error like unable to delete “Unable to delete file C:\hybrisdev\hybris\bin\platform\ext\core\lib\log4j-core-2.9.1.jar”. May I know what is this issue and how to fix it?


Reply to  Mouad EL Fakir
2 years ago

I was just doing ant customize. Hybris was not running

Reply to  Satish
2 years ago
#Use deleteonexit 

#Indicates whether to use File#deleteOnExit() if there is a failure to #delete a file. This causes the JVM to attempt to delete the file when #the JVM process is terminating. Since Ant 1.6.2
<delete file="${log4j_api_291}" deleteonexit="true"/>
Reply to  Satish
2 years ago

Is the issue resolved, I am also facing the same, Could you please share the solution if you find it.


Reply to  Satish
2 years ago

try after closing the ecplise.

2 years ago

I am getting the below error when I am trying to upgrade the log4 in Hybris 6.1 version. I think the latest log4 version is not supported in hybris 6.1 SEVERE: Error configuring application listener of class de.hybris.platform.spring.HybrisContextLoaderListener java.lang.ExceptionInInitializerError at de.hybris.platform.util.logging.log4j2.HybrisLog4j2ConfigurationFactory.getConfiguration(HybrisLog4j2ConfigurationFactory.java:49) at org.apache.logging.log4j.core.config.ConfigurationFactory$Factory.getConfiguration(ConfigurationFactory.java:435) at org.apache.logging.log4j.core.config.ConfigurationFactory.getConfiguration(ConfigurationFactory.java:323) at org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:695) at org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:716) at org.apache.logging.log4j.core.LoggerContext.start(LoggerContext.java:270) at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:155) at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:47) at org.apache.logging.log4j.LogManager.getContext(LogManager.java:196) at org.apache.logging.log4j.spi.AbstractLoggerAdapter.getContext(AbstractLoggerAdapter.java:137) at org.apache.logging.slf4j.Log4jLoggerFactory.getContext(Log4jLoggerFactory.java:55) at org.apache.logging.log4j.spi.AbstractLoggerAdapter.getLogger(AbstractLoggerAdapter.java:47) at org.apache.logging.slf4j.Log4jLoggerFactory.getLogger(Log4jLoggerFactory.java:33) at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:363) at org.apache.commons.logging.impl.SLF4JLogFactory.getInstance(SLF4JLogFactory.java:155) at org.apache.commons.logging.LogFactory.getLog(LogFactory.java:669) at de.hybris.platform.spring.HybrisContextLoaderListener.(HybrisContextLoaderListener.java:62) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at java.lang.Class.newInstance(Class.java:442) at org.apache.catalina.core.DefaultInstanceManager.newInstance(DefaultInstanceManager.java:116) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4932) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5524) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1575) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1565) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)… Read more »

2 years ago

does any one give the path to log4j-2.17.2.jar file? how to download this file?

Would love your thoughts, please comment.x