Document toolboxDocument toolbox

Devo Relay - Security FAQ

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 27, 2022
1 min read

Log4j

Devo Relay v2.0.X includes a non-required log4j library in the installation package that has been removed in v2.1.0. We recommend upgrading to the last version.

In case you want to remove it without upgrading to the last version, follow the indicated procedure:

For Devo Relay v2.0.X

$ sudo rm /opt/devo/ng-relay/lib/log4j-1.2.17.jar $ sudo systemctl restart devo-ng-relay.service

For Devo Relay v1.4.2

$ sudo rm /opt/devo/scoja-server/lib/log4j-1.2.17.jar $ sudo /etc/init.d/devo-scoja-relay stop $ sudo /etc/init.d/devo-scoja-relay start

Sprint4Shell

Devo Relay relies on the Spring library, but it does not use Spring MVC or Spring WebFlux so it's not impacted by the Spring4Shell vulnerability.