Out of the box, no version of Apache Tomcat uses any log4j version. If log4j is used, it is by a specific application (not provided by the ASF) deployed to Tomcat. (Or an admin changed the default install to add it)
-Tim On Fri, Jan 28, 2022 at 10:36 AM Samuel Anderson-Burrell | Cloud21 <samuel.anderson-burr...@cloud21.net.invalid> wrote: > Good Afternoon Apache > Hope your well, my name is Samuel I work for a Security firm Cloud 21 and > we have been working with a client who uses your software in particular > Tomcat. > We are looking to see if there is a security patch against log4j. The > version they are using is tomcat 7, checking your dedicated page for Tomcat > version 7 Apache Tomcat(r) - Apache Tomcat 7 vulnerabilities< > https://tomcat.apache.org/security-7.html#Apache_Tomcat_7.x_vulnerabilities> > there does not appear to be an article to patch against it. > Forgive me if I'm not looking in the correct area if there is one please > could you point me in the right direct. I did try and email your security > mailbox but received an automated message back saying that I needed to be > on the subscribed list which I have attempted to subscribed too but I have > not had a response back yet. > >