2021-0001: Apache log4j library security advisory
Due to the most recent and past security vulnerabilities of the Apache log4j library, we have unbundled the library from all the installation packages of ePublisher.
While the most recent security vulnerability: CVE-2021-45046 is not actually present in the version of Apache tools installed by ePublisher, there was enough ambiguity and even a past security vulnerability: CVE-2019-17571 to warrant removing this library. Also, it was not being used by any part of the ePublisher conversion system, so removing it was just a precaution.
Note: For information on log4j see: https://logging.apache.org/log4j/2.x/
Security ID(s)
In all versions of ePublisher prior to 2021.1.4107, we included an Apache library called log4j.
While this library is NOT used by default by any part of ePublisher or its generation process, it has been removed from ePublisher 2021.1.4107 and later versions as a precaution.
By removing this library in entirety it can no longer be a security vulnerability.
Workaround for prior versions of ePublisher
ePublisher 2021.1.4096 and earlier still include the Apache log4j library.
You can manually remove it from these versions by following the instructions below.
By default both Apache Ant and Apache FOP do not use log4j, so removing/replacing the following jar files is only a precaution.