Hi @ibacher We have raised PR’s with log4j2 changes on both openmrs-core (on 2.1.x) and LegacyUI (on 1.9.0) repositories. Please find below the PR links
@binduak@sivareddy Thanks for all the work on this. I’ve merged the PR for core and updated the LegacyUI PR with my suggested changes. I’m hoping to release 2.1.5 today, but there’s an additional security-related change I’d like to get in before we do so.
I’d also recommend taking a look at TRUNK-6052 at some point in the future. This allows OpenMRS’s logging to be configured via an external log4j2.xml file, which is somewhat challenging the way the log4j2 (and the log4j stuff before it) is written. But this is absolutely not critical.