Hello all,
The following message was sent out by the developers for Tomcat a few days
ago.
It appears that only 8.0.x and some 8.5.x versions of tomcat use log4j as a
default. While current versions do have the capability to utilize log4j, *this
is not enabled by default* and Tomcat must be configured to allow log4j use.
I'm not sure if any of the above situations apply to you, but if you are
using a current version of Tomcat "out-of-the-box" you should be fine.
We will post any relevant follow up information to this list as we receive
it.
Please let us know if you have any questions (
thredds-support@xxxxxxxxxxxxxxxx).
Kind regards,
THREDDS development team
> Mark Thomas <markt@xxxxxxxxxx>
Tue, Dec 14, 2:52 AM (4 days ago)
>
> to Tomcat, Tomcat, announce@xxxxxxxxxxxxxxxxx, announce
>
The following represents the current understanding of the Apache Tomcat
> security team at the time this announcement was issued. There is a lot
> of security research being focussed on log4j2 at the moment and it is
> probable that additional information will emerge.
> Currently supported Tomcat versions (8.5.x, 9.0.x, 10.0.x and 10.1.x)
> have no dependency on any version of log4j.
> Web applications deployed on Tomcat may have a dependency on log4j. You
> should seek support from your application vendors on how best to address
> this vulnerability.
> Tomcat 8.0.x and earlier as well as the first few releases of 8.5.x
> (8.5.3 and earlier) provided optional support for switching Tomcat's
> internal logging to log4j 1.x. Anyone one using these very old (5+
> years), unsupported versions of Tomcat that switched to using log4j 1.x
> may need to address this vulnerability as log4j 1.x may be affected in
> some (probably rarely used) configurations. Regardless, they'll need to
> address the Tomcat vulnerabilities that have been made public in those
> 5+ years.
> It is possible to configure Tomcat to use log4j 2.x for Tomcat's
> internal logging. This requires explicit configuration and the addition
> of the log4j 2.x library. Anyone who has switched Tomcat's internal
> logging to log4j 2.x is likely to need to address this vulnerability.
> In most cases, disabling the problematic feature will be the simplest
> solution. Exactly how to do that depends on the exact version of log4j2
> being used. Details are provided on the log4j2 security page [1].
> If not already subscribed, you may wish to follow the ASF announcements
> mailing list [2] where any significant updates from the logging project
> will be posted.
> If you have any questions regarding this issue or how to mitigate it,
> please direct them to the Apache Tomcat Users mailing list [3].
> The Apache Tomcat Security Tea
> [1] https://logging.apache.org/log4j/2.x/security.html
> [2]
> https://www.apache.org/foundation/mailinglists.html#foundation-announce
> [3] https://tomcat.apache.org/lists.html#tomcat-users
