Eclipse Eclipse IDE for Java Developers (includes Incubating components) Version: 2021-12 (4.22.0) Build id: 20211202-1639 OS: Mac OS X, v.10.16, x86_64 / cocoa Java vendor: Oracle Corporation Java runtime version: 14.0.2+12-46 Java version: 14.0.2

Using this plugin folder location: /Users/<user>/.p2/pool/plugins/com.oxygenxml.editor_24.0.0.v2021121518 where <user> is my user ID Selected 'u' for update

The patcher exited with this error:

Error: Could not find or load main class com.oxygenxml.patcher.log4j.Patcher
Caused by: java.lang.ClassNotFoundException: com.oxygenxml.patcher.log4j.Patcher
Leaving..

Note: The patcher worked great for the full Oxygen Editor software. Thank you!

Hi, I just applied the patch to my "Oxygen XML Developer 21", but it looks like there are still 2 log4j.jar files that are out of date (last modification of the file is 04/2019) :

• Oxygen XML Developer 21\lib\log4j.jar
• Oxygen XML Developer 21\frameworks\dita\DITA-OT3.x\plugins\com.oxygenxml.common\lib\log4j.jar

My IT services are complaining about that 2 files still have the log4j vulnerability.

Did I missed something?

Thanks for helping

Matthieu RICAUD-DUSSARGET

We had a user report a problem with the path entered to point to the Oxygen folder. If the entered path ends in "\", the patcher fails. e.g.

D:\gitProjects\oxygen-log4j-patcher>patch.bat
...
Enter path:C:\Program Files\Oxygen XML Editor 21.1\
Using java from: "C:\Program Files\Oxygen XML Editor 21.1\\jre"
Please confirm that you want to apply the patch over the folder:
"C:\Program Files\Oxygen XML Editor 21.1\"
(yes/no)yes
Please choose what type of patch do you want to apply:
  Type 'u' - for upgrading the log4j library
  Type 'r' - for keeping the current log4j library, but removing the vulnerable JNDI classes from it.
Enter one of (u/r):u
Configuration ok.
Make sure the Oxygen application or server is closed before proceeding.
Press ENTER when ready...

D:\gitProjects\oxygen-log4j-patcher>"C:\Program Files\Oxygen XML Editor 21.1\\jre\bin\java.exe" -cp target/classes com.oxygenxml.patcher.log4j.Patcher "C:\Program Files\Oxygen XML Editor 21.1\" "u"
Java version is 1.8.0_202
Unknown patching strategy: 'null'.

Hello, I have Oxygen 20.1 installed on my Windows machine. After running the patch, I see updated Log4j 2.17.1 versions in the "Libraries" view. However, when running scans for older Log4J versions, I am still seeing them popping up in the following directories:

C:\Program Files\Oxygen XML Editor 20\frameworks\dita\DITA-OT2.x\plugins\com.oxygenxml.common\lib\log4j-1.2.17.jar C:\Program Files\Oxygen XML Editor 20\frameworks\dita\DITA-OT2.x\plugins\com.oxygenxml.pdf.css\lib\log4j-1.2.17.jar C:\Program Files\Oxygen XML Editor 20\frameworks\docbook\xsl\com.oxygenxml.webhelp.classic\lib\log4j-1.2.17.jar C:\Program Files\Oxygen XML Editor 20\lib\log4j.jar

Is the patch meant to update the versions of log4j in these directories? If not, is there another mitigation for updating them?

I appreciate any guidance anyone can provide.

I dont know where to put this because its more a general question: The exist-db datasources (manually created) uses the log4j.jar files for exist-db connections to connect to older exist-db Versions (eg. Versions < 5) is there a need to patch these local files too?

We had a forum post in which users did not manage to configure the JAVA_HOME variable correctly: https://www.oxygenxml.com/forum/topic23848.html .

Currently we assume that users:

• Know where Java is installed
• Know the semantics of JAVA_HOME
• Know how to set an environment variable in Windows

If we want any Oxygen users to be able to apply this patch, we need to make it simpler to detect Java.