Our official statement covers both vulnerabilities, please read: http://geoserver.org/announcements/2021/12/13/logj4-rce-statement.html
Cheers Andrea On Thu, Dec 16, 2021 at 2:28 PM Ron Lindhoudt via Geoserver-users < geoserver-users@lists.sourceforge.net> wrote: > I understand that the GeoTools/Geoserver community has made a fix to > address the JMSAppender vulnerability: log4j-1.2.17.norce.jar > > https://repo.osgeo.org/repository/geotools-releases/log4j/log4j/1.2.17.norce/log4j-1.2.17.norce.jar > > But there also an older vulnerability > https://nvd.nist.gov/vuln/detail/CVE-2019-17571 > <https://nvd.nist.gov/vuln/detail/CVE-2019-17571:> > that says: > "Included in Log4j 1.2 is a SocketServer class that is vulnerable to > deserialization of untrusted data which can be exploited to remotely > execute arbitrary code when combined with a deserialization gadget when > listening to untrusted network traffic for log data. This affects Log4j > versions up to 1.2 up to 1.2.17. " > > > Does this affect Geoserver? > > Regard, > Ron > > On Thursday, 16 December 2021, 13:59:52 CET, Calliess Daniel Ing. < > daniel.calli...@stadt-salzburg.at> wrote: > > > Hi, > > > > please be aware that also log4j 1.x might be affected when using the > JMSAppender in the configuration! > > > > From the log4j project website: > > *Log4j 1.x does not have Lookups so the risk is lower. Applications using > Log4j 1.x are only vulnerable to this attack when they use JNDI in their > configuration. A separate CVE (CVE-2021-4104) has been filed for this > vulnerability. To mitigate: audit your logging configuration to ensure it > has no JMSAppender configured. Log4j 1.x configurations without JMSAppender > are not impacted by this vulnerability.* > > https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 > > > > Regards > Daniel > > > > *From:* Michael Steigemann via Geoserver-users [mailto: > geoserver-users@lists.sourceforge.net] > *Sent:* Monday, December 13, 2021 7:53 PM > *To:* GeoServer Mailing List List <geoserver-users@lists.sourceforge.net> > *Subject:* [EXTERN!]: [Geoserver-users] LOG4J Version in GeoServer > > > > Hello! > > > > I think most of you have heard of the LOG4J vulnerability these days: > https://nvd.nist.gov/vuln/detail/CVE-2021-44228 > > > > As far as I see GeoServer 2.20.1 uses still Log4J Version > 1 log4j-1.2.17.jar and luckily is not affected by the problem itself. On > the other hand the used log4j version 1 is not officially supported since > 2015: "...Please note that Log4j 1.x has reached end of life and is no > longer supported. Vulnerabilities reported after August 2015 against Log4j > 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 > to obtain security fixes...." ( > https://logging.apache.org/log4j/2.x/security.html) > > > > Are there any plans of integrating log4j Version 2 in GeoServer? > > > > Thanks for your short feedback and all the best, > > Michael > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users > -- Regards, Andrea Aime == GeoServer Professional Services from the experts! Visit http://bit.ly/gs-services-us for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions Group phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 333 8128928 https://www.geosolutionsgroup.com/ http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
