URGENT Security Advisory 2021-12-11 (re Apache Log4j 2)

Hi @ibacher We have raised PR’s with log4j2 changes on both openmrs-core (on 2.1.x) and LegacyUI (on 1.9.0) repositories. Please find below the PR links

openmrs-core TRUNK-6057: log4j2.x changes in 2.1.x by sivareddytw · Pull Request #3979 · openmrs/openmrs-core · GitHub

LegacyUI LUI-184 : Changes for log4j2.x by sivareddytw · Pull Request #177 · openmrs/openmrs-module-legacyui · GitHub

Requesting you to review the PR’s. Let us know if it requires any changes. Thanks !

@angshuonline @gsluthra @n0man @mksd @sivareddy @buvaneswariarun @rohit.yawalkar @deepthi

1 Like

@binduak @sivareddy Thanks for all the work on this. I’ve merged the PR for core and updated the LegacyUI PR with my suggested changes. I’m hoping to release 2.1.5 today, but there’s an additional security-related change I’d like to get in before we do so.

I’d also recommend taking a look at TRUNK-6052 at some point in the future. This allows OpenMRS’s logging to be configured via an external log4j2.xml file, which is somewhat challenging the way the log4j2 (and the log4j stuff before it) is written. But this is absolutely not critical.


Core 2.1.5 has been released with the Log4J2 changes. Thanks to the Bahmni team for the work on this.

@binduak @angshuonline @gsluthra @n0man @mksd @sivareddy @buvaneswariarun @rohit.yawalkar @deepthi