There is now a fork of log4j named reload4j: https://reload4j.qos.ch/ It is a drop-in replacement and the project aims to fix the most urgent issues.
Stefan ________________________________ From: Ron Lindhoudt via Geoserver-users <geoserver-users@lists.sourceforge.net> Sent: Monday, January 10, 2022 5:34 PM To: geoserver-users@lists.sourceforge.net; Mark Prins Subject: Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer Our customers are demanding to support the latest version of log4j in Geoserver, I mean the latest 2.* without vulnerabilities because log4j 1.* is EOL. On the Geoserver website I found this (13-12-2021): We are also aware that Log4J 1.2.17 is an “End Of Life” (EOL) project, and are actively looking for funding to perform an upgrade to more recent versions of them. All new logging libraries have a different API and a different configuration file layout, with potential backwards compatibility issues, so this will be likely done on newer versions of GeoServer (2.21.x). What is the status at this moment? Thanks, Ron On Monday, 20 December 2021, 11:38:54 CET, Mark Prins <mc.pr...@gmail.com> wrote: On 19-12-2021 11:11, Michael Steigemann via Geoserver-users wrote: > Hello! > Thank you very much for providing the geoserver.war: > log4j-1.2.17.norce.jar. > I have integrated into geoserver and ran a OWASP dependency check ( > https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html > <https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html>) > > The library is still classified as critical: > geoserver.war: log4j-1.2.17.norce.jar > cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:* > pkg:maven/log4j/log4j@1.2.17-norce<mailto:log4j@1.2.17-norce> CRITICAL > 2 Highest 27 > > Do you think it is possible and a good idea to register the library as > "safe" in the central database? No, this is not a new release but the same release with some files removed and a way of preventing people from shooting themselves in the foot because they can no longer configure the culprit appenders. After inspection of the new jar file you can add a suppression for false positives like <suppress> <notes> <![CDATA[ CVE-2019-17571 log4j Socket Server CVE-2020-9488 log4j SMTP appender CVE-2021-4104 log4j JMSAppender ]]> </notes> <gav regex="true">^log4j:log4j:1\.2\.17$</gav> <cve>CVE-2019-17571</cve> <cve>CVE-2020-9488</cve> <cve>CVE-2021-4104</cve> </suppress> _______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net<mailto:Geoserver-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/geoserver-users
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
