[SECURITY] Apache Tomcat and CVE-2021-44228 (Log4j vulnerability)

Tue, 14 Dec 2021 01:52:01 -0800

The following represents the current understanding of the Apache Tomcat security team at the time this announcement was issued. There is a lot of security research being focussed on log4j2 at the moment and it is probable that additional information will emerge.
Currently supported Tomcat versions (8.5.x, 9.0.x, 10.0.x and 10.1.x) have no dependency on any version of log4j. 


Web applications deployed on Tomcat may have a dependency on log4j. You 
should seek support from your application vendors on how best to address 
this vulnerability.



Tomcat 8.0.x and earlier as well as the first few releases of 8.5.x 
(8.5.3 and earlier) provided optional support for switching Tomcat's 
internal logging to log4j 1.x. Anyone one using these very old (5+ 
years), unsupported versions of Tomcat that switched to using log4j 1.x 
may need to address this vulnerability as log4j 1.x may be affected in 
some (probably rarely used) configurations. Regardless, they'll need to 
address the Tomcat vulnerabilities that have been made public in those 
5+ years.



It is possible to configure Tomcat to use log4j 2.x for Tomcat's 
internal logging. This requires explicit configuration and the addition 
of the log4j 2.x library. Anyone who has switched Tomcat's internal 
logging to log4j 2.x is likely to need to address this vulnerability.



In most cases, disabling the problematic feature will be the simplest 
solution. Exactly how to do that depends on the exact version of log4j2 
being used. Details are provided on the log4j2 security page [1].



If not already subscribed, you may wish to follow the ASF announcements 
mailing list [2] where any significant updates from the logging project 
will be posted.



If you have any questions regarding this issue or how to mitigate it, 
please direct them to the Apache Tomcat Users mailing list [3].


The Apache Tomcat Security Team


[1] https://logging.apache.org/log4j/2.x/security.html

[2] https://www.apache.org/foundation/mailinglists.html#foundation-announce

[3] https://tomcat.apache.org/lists.html#tomcat-users

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org















    











					Reply via email to