We still have not had resources to update to log4j2 … if anyone has budget or 3-5 days of time we would be happy to upgrade and patch for this vulnerability.
Seriously our version of log4j is no longer supported and some technical debt that could use some love :) Jody On Sun, Dec 12, 2021 at 1:15 AM Richard Duivenvoorde <rdmaili...@duif.net> wrote: > Hi Devs, > > In our national IT security group (and national news) there is an item > about an issue with log4j2, pointing to: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228 > or > https://logging.apache.org/log4j/2.x/security.html > > As I deployed some Geoservers at some servers here and there :-) I'm > wondering IF Geoserver (as being a public faced java application) is > vulnarable or not... > > Anybody can confirm Geoserver (or Tomcat) use log4j(2?) <=2.14.1? Or > actually should Geoserver users do the mitigation actions written in the > apache security link? > OR totally is not affected... > > Any hints appreciated, > > Regards, > > Richard Duivenvoorde > > > _______________________________________________ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel > -- -- Jody Garnett
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
