I understand that the GeoTools/Geoserver community has made a fix to address the JMSAppender vulnerability: log4j-1.2.17.norce.jarhttps://repo.osgeo.org/repository/geotools-releases/log4j/log4j/1.2.17.norce/log4j-1.2.17.norce.jar
But there also an older vulnerability https://nvd.nist.gov/vuln/detail/CVE-2019-17571that says:"Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. " Does this affect Geoserver? Regard,Ron On Thursday, 16 December 2021, 13:59:52 CET, Calliess Daniel Ing. <daniel.calli...@stadt-salzburg.at> wrote: <!--#yiv6141737376 _filtered {} _filtered {} _filtered {}#yiv6141737376 #yiv6141737376 p.yiv6141737376MsoNormal, #yiv6141737376 li.yiv6141737376MsoNormal, #yiv6141737376 div.yiv6141737376MsoNormal {margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;font-family:"Times New Roman", serif;}#yiv6141737376 a:link, #yiv6141737376 span.yiv6141737376MsoHyperlink {color:blue;text-decoration:underline;}#yiv6141737376 a:visited, #yiv6141737376 span.yiv6141737376MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv6141737376 span.yiv6141737376EmailStyle17 {font-family:Consolas;color:#1F497D;}#yiv6141737376 .yiv6141737376MsoChpDefault {font-family:"Calibri", sans-serif;} _filtered {}#yiv6141737376 div.yiv6141737376WordSection1 {}--> Hi, please be aware that also log4j 1.x might be affected when using the JMSAppender in the configuration! >From the log4j project website: Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability. https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 Regards Daniel From: Michael Steigemann via Geoserver-users [mailto:geoserver-users@lists.sourceforge.net] Sent: Monday, December 13, 2021 7:53 PM To: GeoServer Mailing List List <geoserver-users@lists.sourceforge.net> Subject: [EXTERN!]: [Geoserver-users] LOG4J Version in GeoServer Hello! I think most of you have heard of the LOG4J vulnerability these days: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 As far as I see GeoServer 2.20.1 uses still Log4J Version 1 log4j-1.2.17.jar and luckily is not affected by the problem itself. On the other hand the used log4j version 1 is not officially supported since 2015: "...Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes...." (https://logging.apache.org/log4j/2.x/security.html) Are there any plans of integrating log4j Version 2 in GeoServer? Thanks for your short feedback and all the best, Michael _______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
