Upgrade Log4j version on Sap Hybris Commerce to fix vulnerability

Hybris Logo

1. Overview

Recently, a several vulnerabilities was found in Apache Log4j, an open-source logging library commonly used by Java apps and services across the internet.

The vulnerabilities allow an attacker to perform remote code execution by exploiting the JNDI lookups.

Many enterprise applications written in Java and SAP Hybris/Commerce included are potentially vulnerable to the flaws in Log4j.

SAP Hybris/Commerce comes pre-bundled with the Apache Log4J. The Log4j version delivered with SAP Hybris/Commerce comes as a Jar library located in ${HYBRIS_BIN_DIR}/platform/ext/core/lib/log4j-core-2.9.1.jar

This Jar Library should be upgraded with the last version published by Apache, so how do we replace it ?

2. Update Log4j

To replace the Log4j library we will be using two of the most power features of SAP Hybris :

  • Ant build callback : to remove old libraries
  • Ant customize : to place the new libraries (find more about ant customize here and here)

2.1. Ant build callback

Ant build callback is used to hook into the Ant target’s life cycle, and run a script at any point in time.

So let’s create a macrodef in the build callback of any custom extension, in my case it well be ${HYBRIS_BIN_DIR}/custom/training/buildcallbacks.xml

This macrodef will be triggered before ant customize, to remove old Log4j libraries.

<project name="training_buildcallbacks">

    <!-- Log4j old libraries -->
    <property name="log4j_core_291" value="${HYBRIS_BIN_DIR}/platform/ext/core/lib/log4j-core-2.9.1.jar"/>
    <property name="log4j_api_291" value="${HYBRIS_BIN_DIR}/platform/ext/core/lib/log4j-api-2.9.1.jar"/>
    <property name="log4j_slf4j_impl_291" value="${HYBRIS_BIN_DIR}/platform/ext/core/lib/log4j-slf4j-impl-2.9.1.jar"/>

    <echo message="Start before customize for [training]"/>

    <!-- macrodef will be executed just before ant customize -->
    <macrodef name="_before_customize">
            <!-- check if jars exist and delete them all -->
            <echo message="check if jar exists ${log4j_core_291}"/>
                <available file="${log4j_core_291}"/>
                    <echo message="delete jar [log4j-core-2.9.1.jar]"/>
                    <delete file="${log4j_core_291}"/>

            <echo message="check if jar exists ${log4j_api_291}"/>
                <available file="${log4j_api_291}"/>
                    <echo message="delete jar [log4j-api-2.9.1.jar]"/>
                    <delete file="${log4j_api_291}"/>

            <echo message="check if jar exists ${log4j_slf4j_impl_291}"/>
                <available file="${log4j_slf4j_impl_291}"/>
                    <echo message="delete jar [log4j-slf4j-impl-2.9.1.jar]"/>
                    <delete file="${log4j_slf4j_impl_291}"/>

    <echo message="End before customize for [training]"/>

2.1. Ant customize

After deleting old Jars, we will use ant customize to copy the new ones.

First of all, download new Jars from maven repository, the most recent version published today is v 2.17.1.

Then, copy the new Jars into ${HYBRIS_CONFIG_DIR}/customize/platform/ext/core/lib

And run ant customize command.

$ ant customize


     [echo] Start before customize for [training]
     [echo] End before customize for [training]

     [echo] check if jar exists ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin/platform/ext/core/lib/log4j-core-2.9.1.jar
     [echo] delete jar [log4j-core-2.9.1.jar]
   [delete] Deleting: ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin/platform/ext/core/lib/log4j-core-2.9.1.jar
     [echo] check if jar exists ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin/platform/ext/core/lib/log4j-api-2.9.1.jar
     [echo] delete jar [log4j-api-2.9.1.jar]
   [delete] Deleting: ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin/platform/ext/core/lib/log4j-api-2.9.1.jar
     [echo] check if jar exists ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin/platform/ext/core/lib/log4j-slf4j-impl-2.9.1.jar
     [echo] delete jar [log4j-slf4j-impl-2.9.1.jar]
   [delete] Deleting: ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin/platform/ext/core/lib/log4j-slf4j-impl-2.9.1.jar
     [echo] copy the content from ../projects/stackextend/spartacus-demo/hybris_1905/hybris/config/customize to ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin
     [copy] Copying 4 files to ../projects/stackextend/spartacus-demo/hybris_1905/hybris/bin

Total time: 2 seconds


3. Test

To check that the new version of log4j2 has been taken into account, add the following property log4j2.status = DEBUG to your local.properties, and restart Hybris server
If everything goes well, the right version of log4j2 will be displayed in your console log :

jvm 1 | localhost-startStop-1 DEBUG Apache Log4j Core 2.17.1 initializing configuration org.apac[email protected]74103015
jvm 1 | localhost-startStop-1 DEBUG Installed 3 script engines
jvm 1 | localhost-startStop-1 DEBUG BeanShell Engine version: 1.0, language: BeanShell, threading: MULTITHREADED, compile: true, names: [beanshell, bsh, java], factory class: bsh.engine.BshScriptEngineFactory


Happy reading 🙂

4.7 3 votes
Article Rating
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Newest Most Voted
Inline Feedbacks
View all comments
Sureshkumar Chidrapu
Sureshkumar Chidrapu
18 days ago

Hi Team,

Can yopu please suggest how to run ant customize on CCV2 cloud environemnt where I can find only ant Build and deployment options

2 days ago

Hi Mouad EL Fakir,

Thanks for this post. I followed the above steps to fix the log4j vulnerability. But I am getting error like unable to delete “Unable to delete file C:\hybrisdev\hybris\bin\platform\ext\core\lib\log4j-core-2.9.1.jar”. May I know what is this issue and how to fix it?


Reply to  Mouad EL Fakir
2 days ago

I was just doing ant customize. Hybris was not running

Would love your thoughts, please comment.x