Hello Team, we are running a legacy version of CMDBuild (2.4.0). we are currently in the process of addressing the log4j vulnerability in all of our applications. Could someone assist me. I’m trying to find out if CMDBuild version 2.4.0 uses this, and if it does, is there a known fix to this such as upgrading Apache or log4j directly?

Hi,
CMDBuild version 2.x uses log4j, it is recommended to update to a more recent CMDBuild version (3.x) where log4j has been removed entirely form the system. 2.x versions are no longer maintained.

Regards

is it possible to update from 2.4 to the latest 3.x version, or is there a guide or steps I could follow in order to do this.

Also, within 2.4 is it possible to disable logging, or change the log4j configuration?

Hi,
It is not possible to disable entirely the logging, also if you plan to upgrade to version 3.x it is suggested to firstly update to version 3.0 and then proceed with a secondary update to the version you prefer

Regards

Hello Team, is there any documentation or a step by step guide that i can look at to perform this upgrade?