I've some issues in porting some application running in a JBoss 7.1 environment from log4j to log4j2.
I've ported my SW to log4j2 (2.17.1), but that is not enough. I'm understanding that JBoss configuration changes - not so simple - are needed to obtain the applications run correctly and write log-data on the correct log-files.
Have you some hints to aid me?
Based on what I read on the Redhat portal [customer access only] I wonder if a port for front-end applications is necessary.
No version of JBoss EAP 6.x/7.x is vulnerable to CVE-2021-44228 currently thanks to the usage of JBoss Logging framework instead of Log4J. Please refer to the security bulletin - RHSB-2021-009 for further information on this vulnerability and impacted Red Hat products. [...] EAP 7.x's log manager does port in log4j JMSAppender code so is similarly impacted by CVE-2021-4104 with enabled JMSAppenders. But in further reviewing this vulnerability, we have determined this can only be considered a true vulnerability when the attacker has write access to the Log4j configuration to add a JMSAppender to the attacker's JMS Broker.
JBoss EAP 7.1 is not vulnerable or affected by this CVE. This version of JBoss EAP does not include log4j 2. JBoss EAP 7.4 does include the log4j-api, but does not include log4j-core and therefore it is also not vulnerable.
In short JBoss EAP is not vulnerable and there is nothing in its configuration you need to change.