Upgrade Log4j version on Sap Hybris Commerce to fix vulnerability
1. Overview
Recently, a several vulnerabilities was found in Apache Log4j, an open-source logging library commonly used by Java apps and services across the internet.
The vulnerabilities allow an attacker to perform remote code execution by exploiting the JNDI lookups.
Many enterprise applications written in Java and SAP Hybris/Commerce included are potentially vulnerable to the flaws in Log4j.
SAP Hybris/Commerce comes pre-bundled with the Apache Log4J. The Log4j version delivered with SAP Hybris/Commerce comes as a Jar library located in ${HYBRIS_BIN_DIR}/platform/ext/core/lib/log4j-core-2.9.1.jar
This Jar Library should be upgraded with the last version published by Apache, so how do we replace it ?
2. Update Log4j
To replace the Log4j library we will be using two of the most power features of SAP Hybris :
- Ant build callback : to remove old libraries
- Ant customize : to place the new libraries (find more about ant customize here and here)
2.1. Ant build callback
Ant build callback is used to hook into the Ant target’s life cycle, and run a script at any point in time.
So let’s create a macrodef
in the build callback of any custom extension, in my case it well be ${HYBRIS_BIN_DIR}/custom/training/buildcallbacks.xml
This macrodef
will be triggered before ant customize, to remove old Log4j libraries.
<project name="training_buildcallbacks">
<!-- Log4j old libraries -->
<property name="log4j_core_291" value="${HYBRIS_BIN_DIR}/platform/ext/core/lib/log4j-core-2.9.1.jar"/>
<property name="log4j_api_291" value="${HYBRIS_BIN_DIR}/platform/ext/core/lib/log4j-api-2.9.1.jar"/>
<property name="log4j_slf4j_impl_291" value="${HYBRIS_BIN_DIR}/platform/ext/core/lib/log4j-slf4j-impl-2.9.1.jar"/>
<echo message="Start before customize for [training]"/>
<!-- macrodef will be executed just before ant customize -->
<macrodef name="_before_customize">
<sequential>
<!-- check if jars exist and delete them all -->
<echo message="check if jar exists ${log4j_core_291}"/>
<if>
<available file="${log4j_core_291}"/>
<then>
<echo message="delete jar [log4j-core-2.9.1.jar]"/>
<delete file="${log4j_core_291}"/>
</then>
</if>
<echo message="check if jar exists ${log4j_api_291}"/>
<if>
<available file="${log4j_api_291}"/>
<then>
<echo message="delete jar [log4j-api-2.9.1.jar]"/>
<delete file="${log4j_api_291}"/>
</then>
</if>
<echo message="check if jar exists ${log4j_slf4j_impl_291}"/>
<if>
<available file="${log4j_slf4j_impl_291}"/>
<then>
<echo message="delete jar [log4j-slf4j-impl-2.9.1.jar]"/>
<delete file="${log4j_slf4j_impl_291}"/>
</then>
</if>
</sequential>
</macrodef>
<echo message="End before customize for [training]"/>
</project>
2.1. Ant customize
After deleting old Jars, we will use ant customize to copy the new ones.
First of all, download new Jars from maven repository, the most recent version published today is v 2.17.1.
- Log4j core 2.17.1 : https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.17.1
- Log4j api 2.17.1 : https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api/2.17.1
- Log4j slf4j-impl 2.17.1 : https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-slf4j-impl/2.17.1
Then, copy the new Jars into ${HYBRIS_CONFIG_DIR}/customize/platform/ext/core/lib
And run ant customize
command.
$ ant customize
...
[echo] Start before customize for [training]
[echo] End before customize for [training]
customize:
[echo] check if jar exists ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin/platform/ext/core/lib/log4j-core-2.9.1.jar
[echo] delete jar [log4j-core-2.9.1.jar]
[delete] Deleting: ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin/platform/ext/core/lib/log4j-core-2.9.1.jar
[echo] check if jar exists ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin/platform/ext/core/lib/log4j-api-2.9.1.jar
[echo] delete jar [log4j-api-2.9.1.jar]
[delete] Deleting: ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin/platform/ext/core/lib/log4j-api-2.9.1.jar
[echo] check if jar exists ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin/platform/ext/core/lib/log4j-slf4j-impl-2.9.1.jar
[echo] delete jar [log4j-slf4j-impl-2.9.1.jar]
[delete] Deleting: ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin/platform/ext/core/lib/log4j-slf4j-impl-2.9.1.jar
[echo] copy the content from ../projects/stackextend/spartacus-demo/hybris_1905/hybris/config/customize to ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin
[copy] Copying 4 files to ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin
BUILD SUCCESSFUL
Total time: 2 seconds
3. Test
To check that the new version of log4j2 has been taken into account, add the following property log4j2.status = DEBUG
to your local.properties
, and restart Hybris server
If everything goes well, the right version of log4j2 will be displayed in your console log :
jvm 1 | localhost-startStop-1 DEBUG Apache Log4j Core 2.17.1 initializing configuration org.apache.logging.log4j.core.config.properties.PropertiesConfiguration@74103015
jvm 1 | localhost-startStop-1 DEBUG Installed 3 script engines
jvm 1 | localhost-startStop-1 DEBUG BeanShell Engine version: 1.0, language: BeanShell, threading: MULTITHREADED, compile: true, names: [beanshell, bsh, java], factory class: bsh.engine.BshScriptEngineFactory
Happy reading 🙂
Software Craftsmanship, Stackextend author and Full Stack developer with 6+ years of experience in Java/Kotlin, Java EE, Angular and Hybris…
I’m Passionate about Microservice architectures, Hexagonal architecture, Event Driven architecture, Event Sourcing and Domain Driven design (DDD)…
Huge fan of Clean Code school, SOLID, GRASP principles, Design Patterns, TDD and BDD.
Hi Team,
Can yopu please suggest how to run ant customize on CCV2 cloud environemnt where I can find only ant Build and deployment options
I don’t think you need to do anything, I think it will be taking care of by SAP
Hi Mouad EL Fakir,
Thanks for this post. I followed the above steps to fix the log4j vulnerability. But I am getting error like unable to delete “Unable to delete file C:\hybrisdev\hybris\bin\platform\ext\core\lib\log4j-core-2.9.1.jar”. May I know what is this issue and how to fix it?
Regards,
Satish
Hello,
Please make sure that Hybris is not running !
I was just doing ant customize. Hybris was not running
Is the issue resolved, I am also facing the same, Could you please share the solution if you find it.
Thanks,
Pavan
try after closing the ecplise.
I am getting the below error when I am trying to upgrade the log4 in Hybris 6.1 version. I think the latest log4 version is not supported in hybris 6.1 SEVERE: Error configuring application listener of class de.hybris.platform.spring.HybrisContextLoaderListener java.lang.ExceptionInInitializerError at de.hybris.platform.util.logging.log4j2.HybrisLog4j2ConfigurationFactory.getConfiguration(HybrisLog4j2ConfigurationFactory.java:49) at org.apache.logging.log4j.core.config.ConfigurationFactory$Factory.getConfiguration(ConfigurationFactory.java:435) at org.apache.logging.log4j.core.config.ConfigurationFactory.getConfiguration(ConfigurationFactory.java:323) at org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:695) at org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:716) at org.apache.logging.log4j.core.LoggerContext.start(LoggerContext.java:270) at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:155) at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:47) at org.apache.logging.log4j.LogManager.getContext(LogManager.java:196) at org.apache.logging.log4j.spi.AbstractLoggerAdapter.getContext(AbstractLoggerAdapter.java:137) at org.apache.logging.slf4j.Log4jLoggerFactory.getContext(Log4jLoggerFactory.java:55) at org.apache.logging.log4j.spi.AbstractLoggerAdapter.getLogger(AbstractLoggerAdapter.java:47) at org.apache.logging.slf4j.Log4jLoggerFactory.getLogger(Log4jLoggerFactory.java:33) at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:363) at org.apache.commons.logging.impl.SLF4JLogFactory.getInstance(SLF4JLogFactory.java:155) at org.apache.commons.logging.LogFactory.getLog(LogFactory.java:669) at de.hybris.platform.spring.HybrisContextLoaderListener.(HybrisContextLoaderListener.java:62) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at java.lang.Class.newInstance(Class.java:442) at org.apache.catalina.core.DefaultInstanceManager.newInstance(DefaultInstanceManager.java:116) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4932) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5524) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1575) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1565) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)… Read more »
does any one give the path to log4j-2.17.2.jar file? how to download this file?