IMPORTANT NOTICE : LOG4J Security Vulnerability

On the 11th December we became aware of a security vulnerability in the OpenVPMS application that could be exploited to gain access to the server OpenVPMS is running on.

This security vulnerability exists in a library that is part of the OpenVPMS application called Log4j which is responsible for logging messages in OpenVPMS.  The vulnerabilty is called Log4Shell (

OpenVPMS releases 2.2 and up use a version of this library that is affected by this security vulnerability.  OpenVPMS releases prior to this are not affected.

The latest release of OpenVPMS 2.3 ( includes a fix to this vulnerability.

In prior versions, the vulnerabilty can be fixed by making a change to the startup options of the Apache Tomcat service used to run OpenVPMS, followed by restarting the service. The process for doing this on various operating systems is shown below. 

For customers utilising Amazon AWS cloud hosted servers setup by OpenVPMS, or running our fully managed cloud hosted solution, we will work on the necessary changes over the next week. 

For anyone running their own on-premise server and OpenVPMS 2.2 or greater, it is important you get your local IT company to make the changes detailed below.  If they need any assistance please get them to email us at support[at]openvpms[dot]com


As an administrator on the Windows server running OpenVPMS, run the Tomcat configuration utility. The utility can be typically found at these locations depending on the version of Apache Tomcat running.

C:\Program Files\Apache Software Foundation\Tomcat 8.5\bin  (64 bit)

C:\Program Files (x86)\Apache Software Foundation\Tomcat 8.5\bin (32 bit)

Once running click on the Java tab and in the Java options area add the following option.


Click OK to save the changes.

Restart the Apache Tomcat service to make the changes take effect. This can be done using the Windows services application shown below.