Critical Apache Log4j Vulnerability in WorldServer- resolution for versions 11.0.0. and 11.0.1

There is a critical remote code execution vulnerability for Apache Log4j2 v2.0 through v2.14. How do we address this issue in versions 11.0.0. and 11.0.1?

WorldServer versions 11.0.0 and WS 11.0.1, although they are using log4j 1.x, they also contain log4j 2.2 as a transitive dependency.

In order to mitigate this issue for log4j 2.2, we need to remove the JndiLookup.class from within log4j-core-2.2.jar\org\apache\logging\log4j\core\lookup\

Attached to this article, you will find a jar file with the class removed. You can either use it, or just make a copy with it removed by yourself.

You will need it to replace the existing one in the following locations:

1. \WorldServer\tomcat\webapps\ws\WEB-INF\lib
2. \WorldServer\tomcat\webapps\ws-api\WEB-INF\lib

Optional (recommended) is to also replace it within the war files (can be done with 7zip for example):

1. \WorldServer\tomcat\webapps\ws.war\WEB-INF\lib\
2. \WorldServer\tomcat\webapps\ws-api.war\WEB-INF\lib\

Important: WorldServer (Idiom Service) should be restarted after this change.

On a multi-server environment, the change and restart must be deployed on each Application Server on which WorldServer is deployed.

Note: this issue will be permanently solved in the upcoming WorldServer 11.7.2. version.

This issue impacts all WorldServer 11 versions. This issue does not impact WorldServer 10 deployments.

These articles are relevant:

WorldServer: How to address the Critical Apache Log4j Vulnerability in WorldServer 11.x
Critical Apache Log4j Vulnerability in WorldServer- resolution for versions 11.3.x to 11.5.x
Critical Apache Log4j Vulnerability in WorldServer- resolution for versions 11.1.0, 11.1.1. and 11.2.x
Are WorldServer 10.x versions affected by the critical Apache Log4j Vulnerability?