A vulnerability (CVE-2021-44228) was reported in Apache Log4j, the Java log output library used in Cubism Editor and Cubism Viewer.
The vulnerability is fixed in Cubism Editor 4.1.04 and later. You can download these versions and use them as they are without following this guidance.
We believe that Cubism Editor and Cubism Viewer are unlikely to be the target due to the nature of Log4j’s vulnerability, but users of Cubism Editor 4.1.03 and earlier can address this issue individually by following the steps below.
This method can be used for Cubism 3 and later.
Cubism 2.1 does not use Log4j, therefore it is not affected by this issue.
Download the jar file from the following link.
Open the folder located in the path below.
C:\Program Files\Live2D Cubism x.x\app\lib
Macintosh HD/Applications/Live2D Cubism x.x/res
* The name of the folder is different for each version. The “x.x” part refers to the version of Cubism Editor.
* If you have Cubism Editor installed in another folder, replace it with that folder.
Make a backup copy of the jar file with the name “log4j-core-2.5.jar” in the opened folder.
Put the downloaded jar file into this folder to overwrite the existing file.