I have been doing some testing and this is what I came up with;
You need to download the v2.16 binaries of Log4j (LogForge)
here.
When you unzip the archive you will find a a lot of jars in there. You need to pick out the following 4 jars. I suggest you put them in a separate directory.
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar
- log4j-slf4j18-impl-2.16.0.jar <-- the '18' part is important
- log4j-web-2.16.0.jar
So far I can see these jars are only used on the server so code-signing is not needed for SmartClient deployments.
You can now update your developer OR you can update any deployed WAR files. I will explain each scenario here below:
Updating DeveloperGo into the application_server/lib directory of your developer installation. Make sure Developer is not running.
If you are on macOS and you have the Servoy.app bundle then you first need to right-click on the app and select Show Package Contents. Then the path is Contents/application_server/lib .
Identify the 4 log4j-*.jar files and remove those. Then copy in the 4 new jars listed above. Don't overwrite them as they are named differently.
Now you can launch Developer and export a new WAR file for your deployments.
Updating existing WAR deploymentShutdown your WAR context that you are going to update via the Tomcat Manager interface.
Connect to your server and go into the <tomcat-dir>/webapps directory. Here you see all your WAR files and expanded directories.
Navigate into <war-directory-name>/WEB-INF/lib .
Identify the 4 log4j-*.jar files and remove those. Then copy in the 4 new jars listed above. Don't overwrite them as they are named differently.
You can now start the WAR context again via the Tomcat Manager interface.
You can check in the <tomcat-dir>/work/Catalina/localhost/<war-name>/ if there are cached files. If so you might want to delete those, just for good measure. If you do then you also need to restart Tomcat.
Please be aware that if you touch the original *.war file your changes will be overwritten and the original log4j version will be loaded
Updating your *.war fileYour .war file is just a zip file with another file extension so you can use tools like BetterZip (macOS), 7-zip (Windows) or unzip on Linux (CLI) to unarchive the WAR file.
Navigate into <war-directory-name>/WEB-INF/lib .
Identify the 4 log4j-*.jar files and remove those. Then copy in the 4 new jars listed above. Don't overwrite them as they are named differently.
Now zip the directory back up and make sure it has a .war extension again.
Now you can deploy the war file to your servers.
Hope this helps.