Hello! Thank you very much for providing the geoserver.war: log4j-1.2.17.norce.jar. I have integrated into geoserver and ran a OWASP dependency check ( https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html )
The library is still classified as critical: geoserver.war: log4j-1.2.17.norce.jar cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*: *:*:* pkg:maven/log4j/log4j@1.2.17-norce CRITICAL 2 Highest 27 Do you think it is possible and a good idea to register the library as "safe" in the central database? All the best, Michael Am Do., 16. Dez. 2021 um 14:39 Uhr schrieb Andrea Aime < andrea.a...@geosolutionsgroup.com>: > Our official statement covers both vulnerabilities, please read: > > http://geoserver.org/announcements/2021/12/13/logj4-rce-statement.html > > Cheers > Andrea > > On Thu, Dec 16, 2021 at 2:28 PM Ron Lindhoudt via Geoserver-users < > geoserver-users@lists.sourceforge.net> wrote: > >> I understand that the GeoTools/Geoserver community has made a fix to >> address the JMSAppender vulnerability: log4j-1.2.17.norce.jar >> >> https://repo.osgeo.org/repository/geotools-releases/log4j/log4j/1.2.17.norce/log4j-1.2.17.norce.jar >> >> But there also an older vulnerability >> https://nvd.nist.gov/vuln/detail/CVE-2019-17571 >> <https://nvd.nist.gov/vuln/detail/CVE-2019-17571:> >> that says: >> "Included in Log4j 1.2 is a SocketServer class that is vulnerable to >> deserialization of untrusted data which can be exploited to remotely >> execute arbitrary code when combined with a deserialization gadget when >> listening to untrusted network traffic for log data. This affects Log4j >> versions up to 1.2 up to 1.2.17. " >> >> >> Does this affect Geoserver? >> >> Regard, >> Ron >> >> On Thursday, 16 December 2021, 13:59:52 CET, Calliess Daniel Ing. < >> daniel.calli...@stadt-salzburg.at> wrote: >> >> >> Hi, >> >> >> >> please be aware that also log4j 1.x might be affected when using the >> JMSAppender in the configuration! >> >> >> >> From the log4j project website: >> >> *Log4j 1.x does not have Lookups so the risk is lower. Applications using >> Log4j 1.x are only vulnerable to this attack when they use JNDI in their >> configuration. A separate CVE (CVE-2021-4104) has been filed for this >> vulnerability. To mitigate: audit your logging configuration to ensure it >> has no JMSAppender configured. Log4j 1.x configurations without JMSAppender >> are not impacted by this vulnerability.* >> >> https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 >> >> >> >> Regards >> Daniel >> >> >> >> *From:* Michael Steigemann via Geoserver-users [mailto: >> geoserver-users@lists.sourceforge.net] >> *Sent:* Monday, December 13, 2021 7:53 PM >> *To:* GeoServer Mailing List List <geoserver-users@lists.sourceforge.net> >> *Subject:* [EXTERN!]: [Geoserver-users] LOG4J Version in GeoServer >> >> >> >> Hello! >> >> >> >> I think most of you have heard of the LOG4J vulnerability these days: >> https://nvd.nist.gov/vuln/detail/CVE-2021-44228 >> >> >> >> As far as I see GeoServer 2.20.1 uses still Log4J Version >> 1 log4j-1.2.17.jar and luckily is not affected by the problem itself. On >> the other hand the used log4j version 1 is not officially supported since >> 2015: "...Please note that Log4j 1.x has reached end of life and is no >> longer supported. Vulnerabilities reported after August 2015 against Log4j >> 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 >> to obtain security fixes...." ( >> https://logging.apache.org/log4j/2.x/security.html) >> >> >> >> Are there any plans of integrating log4j Version 2 in GeoServer? >> >> >> >> Thanks for your short feedback and all the best, >> >> Michael >> _______________________________________________ >> Geoserver-users mailing list >> >> Please make sure you read the following two resources before posting to >> this list: >> - Earning your support instead of buying it, but Ian Turton: >> http://www.ianturton.com/talks/foss4g.html#/ >> - The GeoServer user list posting guidelines: >> http://geoserver.org/comm/userlist-guidelines.html >> >> If you want to request a feature or an improvement, also see this: >> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >> >> >> Geoserver-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/geoserver-users >> _______________________________________________ >> Geoserver-users mailing list >> >> Please make sure you read the following two resources before posting to >> this list: >> - Earning your support instead of buying it, but Ian Turton: >> http://www.ianturton.com/talks/foss4g.html#/ >> - The GeoServer user list posting guidelines: >> http://geoserver.org/comm/userlist-guidelines.html >> >> If you want to request a feature or an improvement, also see this: >> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >> >> >> Geoserver-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/geoserver-users >> > > > -- > > Regards, > > Andrea Aime > > == > GeoServer Professional Services from the experts! > > Visit http://bit.ly/gs-services-us for more information. > == > > Ing. Andrea Aime > @geowolf > Technical Lead > > GeoSolutions Group > phone: +39 0584 962313 > > fax: +39 0584 1660272 > > mob: +39 333 8128928 > > https://www.geosolutionsgroup.com/ > > http://twitter.com/geosolutions_it > > ------------------------------------------------------- > > Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE > 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si > precisa che ogni circostanza inerente alla presente email (il suo > contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è > riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il > messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra > operazione è illecita. Le sarei comunque grato se potesse darmene notizia. > > This email is intended only for the person or entity to which it is > addressed and may contain information that is privileged, confidential or > otherwise protected from disclosure. We remind that - as provided by > European Regulation 2016/679 “GDPR” - copying, dissemination or use of this > e-mail or the information herein by anyone other than the intended > recipient is prohibited. If you have received this email by mistake, please > notify us immediately by telephone or e-mail > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users >
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users