Op 12-12-2021 om 10:14 schreef Richard Duivenvoorde:
Hi Devs,
In our national IT security group (and national news) there is an item
about an issue with log4j2, pointing to:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228
or
https://logging.apache.org/log4j/2.x/security.html
As I deployed some Geoservers at some servers here and there :-) I'm
wondering IF Geoserver (as being a public faced java application) is
vulnarable or not...
Anybody can confirm Geoserver (or Tomcat) use log4j(2?) <=2.14.1? Or
actually should Geoserver users do the mitigation actions written in the
apache security link?
OR totally is not affected...
Only in very, very specific configurations is log4j (gen. 1 / 1.2.x)
vulnerable - but not in the same way as log4j2; it requires using a JMS
Appender that uses jdni.
please read
https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
(and linked comments there)
The general use case for log4J (gen. 1 / 1.2.x) is logging to a file
using a FileAppender or the console using a Console Appender, it's what
Geoserver does.
The networking appenders such as smtp appender and other
networked/socket appenders don't work very well under high load and do
contain some serious issues; but, again, are not used by GeoServer.
Mark
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
