If you are asking whether you need to do something or not on your prem system, the answer is: yes definitely. You need to apply suggested workarounds by Apache. For version up-to 1905 (including), you should modify log4j-core-*.jar since the version is below 2.10, for upper versions (I only confirmed for version 2011, but other may be the same), adding JVM property -Dlog4j2.formatMsgNoLookups=true is needed. Both solutions requires restarting the servers. To make sure which action is needed by you, check the log4j2 version by looking file log4j-core-{version}.jar under the directory ${HYBRIS_BIN_DIR}/platform/ext/core/lib. By confirming the version from the jar, you can decide what to do.
If you are asking for what SAP is planning to do for this, I believe they will release a patch which includes log4j2 library update for supported versions as soon as possible. However, I am not sure when this patch will be released.
Bluesky
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.