Hi, please be aware that also log4j 1.x might be affected when using the JMSAppender in the configuration!
From the log4j project website: Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability. https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 Regards Daniel From: Michael Steigemann via Geoserver-users [mailto:geoserver-users@lists.sourceforge.net] Sent: Monday, December 13, 2021 7:53 PM To: GeoServer Mailing List List <geoserver-users@lists.sourceforge.net> Subject: [EXTERN!]: [Geoserver-users] LOG4J Version in GeoServer Hello! I think most of you have heard of the LOG4J vulnerability these days: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 As far as I see GeoServer 2.20.1 uses still Log4J Version 1 log4j-1.2.17.jar and luckily is not affected by the problem itself. On the other hand the used log4j version 1 is not officially supported since 2015: "...Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes...." (https://logging.apache.org/log4j/2.x/security.html) Are there any plans of integrating log4j Version 2 in GeoServer? Thanks for your short feedback and all the best, Michael
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
