Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

[Jody Garnett]

We actually have a call out for sponsors and proposals on replacing the
log4j1 library:
http://geoserver.org/behind%20the%20scenes/2022/01/20/log4j-upgrade.html

Please support geoserver!
--
Jody Garnett


On Mon, 24 Jan 2022 at 03:52, Andrea Aime 
wrote:

> See
> http://geoserver.org/behind%20the%20scenes/2022/01/20/log4j-upgrade.html
>
> If you and your customers are in urgent need for this upgrade, don't
> hesitate to sponsor the effort.
>
> Cheers
> Andrea
>
>
> On Mon, Jan 10, 2022 at 5:32 PM Ron Lindhoudt via Geoserver-users <
> geoserver-users@lists.sourceforge.net> wrote:
>
>> Our customers are demanding to support the latest version of log4j in
>> Geoserver, I mean the latest 2.* without vulnerabilities because log4j 1.*
>> is EOL.
>> On the Geoserver website I found this (13-12-2021):
>>
>> We are also aware that Log4J 1.2.17 is an “End Of Life” (EOL) project,
>> and are actively looking for funding to perform an upgrade to more recent
>> versions of them. All new logging libraries have a different API and a
>> different configuration file layout, with potential backwards compatibility
>> issues, so this will be likely done on newer versions of GeoServer (2.21.x).
>>
>> What is the status at this moment?
>>
>> Thanks,
>> Ron
>> On Monday, 20 December 2021, 11:38:54 CET, Mark Prins 
>> wrote:
>>
>>
>> On 19-12-2021 11:11, Michael Steigemann via Geoserver-users wrote:
>> > Hello!
>> > Thank you very much for providing the geoserver.war:
>> > log4j-1.2.17.norce.jar.
>> > I have integrated into geoserver and ran a OWASP dependency check (
>> > https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html
>>
>> > <
>> https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html
>> >)
>> >
>> > The library is still classified as critical:
>> > geoserver.war: log4j-1.2.17.norce.jar
>> > cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:*
>> > pkg:maven/log4j/log4j@1.2.17-norceCRITICAL2Highest27
>> >
>> > Do you think it is possible and a good idea to register the library as
>> > "safe" in the central database?
>>
>> No, this is not a new release but the same release with some files
>> removed and a way of preventing people from shooting themselves in the
>> foot because they can no longer configure the culprit appenders.
>>
>> After inspection of the new jar file you can add a suppression for false
>> positives like
>>
>> 
>> 
>> 
>> 
>> ^log4j:log4j:1\.2\.17$
>> CVE-2019-17571
>> CVE-2020-9488
>> CVE-2021-4104
>> 
>>
>>
>>
>>
>>
>> ___
>> Geoserver-users mailing list
>>
>> Please make sure you read the following two resources before posting to
>> this list:
>> - Earning your support instead of buying it, but Ian Turton:
>> http://www.ianturton.com/talks/foss4g.html#/
>> - The GeoServer user list posting guidelines:
>> http://geoserver.org/comm/userlist-guidelines.html
>>
>> If you want to request a feature or an improvement, also see this:
>> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
>>
>>
>> Geoserver-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>> ___
>> Geoserver-users mailing list
>>
>> Please make sure you read the following two resources before posting to
>> this list:
>> - Earning your support instead of buying it, but Ian Turton:
>> http://www.ianturton.com/talks/foss4g.html#/
>> - The GeoServer user list posting guidelines:
>> http://geoserver.org/comm/userlist-guidelines.html
>>
>> If you want to request a feature or an improvement, also see this:
>> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
>>
>>
>> Geoserver-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>>
>
>
> --
>
> Regards,
>
> Andrea Aime
>
> ==
> GeoServer Professional Services from the experts!
>
> Visit http://bit.ly/gs-services-us for more information.
> ==
>
> Ing. Andrea Aime
> @geowolf
> Technical Lead
>
> GeoSolutions Group
> phone: +39 0584 962313
>
> fax: +39 0584 1660272
>
> mob:   +39  333 8128928
>
> https://www.geosolutionsgroup.com/
>
> http://twitter.com/geosolutions_it
>
> ---
>
> Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE
> 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
> precisa che ogni circostanza inerente alla presente email (il suo
> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
> operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
>
> This email is intended only for the person or entity to which it 

Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

[Andrea Aime]

See http://geoserver.org/behind%20the%20scenes/2022/01/20/log4j-upgrade.html

If you and your customers are in urgent need for this upgrade, don't
hesitate to sponsor the effort.

Cheers
Andrea


On Mon, Jan 10, 2022 at 5:32 PM Ron Lindhoudt via Geoserver-users <
geoserver-users@lists.sourceforge.net> wrote:

> Our customers are demanding to support the latest version of log4j in
> Geoserver, I mean the latest 2.* without vulnerabilities because log4j 1.*
> is EOL.
> On the Geoserver website I found this (13-12-2021):
>
> We are also aware that Log4J 1.2.17 is an “End Of Life” (EOL) project, and
> are actively looking for funding to perform an upgrade to more recent
> versions of them. All new logging libraries have a different API and a
> different configuration file layout, with potential backwards compatibility
> issues, so this will be likely done on newer versions of GeoServer (2.21.x).
>
> What is the status at this moment?
>
> Thanks,
> Ron
> On Monday, 20 December 2021, 11:38:54 CET, Mark Prins 
> wrote:
>
>
> On 19-12-2021 11:11, Michael Steigemann via Geoserver-users wrote:
> > Hello!
> > Thank you very much for providing the geoserver.war:
> > log4j-1.2.17.norce.jar.
> > I have integrated into geoserver and ran a OWASP dependency check (
> > https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html
>
> > <
> https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html
> >)
> >
> > The library is still classified as critical:
> > geoserver.war: log4j-1.2.17.norce.jar
> > cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:*
> > pkg:maven/log4j/log4j@1.2.17-norceCRITICAL2Highest27
> >
> > Do you think it is possible and a good idea to register the library as
> > "safe" in the central database?
>
> No, this is not a new release but the same release with some files
> removed and a way of preventing people from shooting themselves in the
> foot because they can no longer configure the culprit appenders.
>
> After inspection of the new jar file you can add a suppression for false
> positives like
>
> 
> 
> 
> 
> ^log4j:log4j:1\.2\.17$
> CVE-2019-17571
> CVE-2020-9488
> CVE-2021-4104
> 
>
>
>
>
>
> ___
> Geoserver-users mailing list
>
> Please make sure you read the following two resources before posting to
> this list:
> - Earning your support instead of buying it, but Ian Turton:
> http://www.ianturton.com/talks/foss4g.html#/
> - The GeoServer user list posting guidelines:
> http://geoserver.org/comm/userlist-guidelines.html
>
> If you want to request a feature or an improvement, also see this:
> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
>
>
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
> ___
> Geoserver-users mailing list
>
> Please make sure you read the following two resources before posting to
> this list:
> - Earning your support instead of buying it, but Ian Turton:
> http://www.ianturton.com/talks/foss4g.html#/
> - The GeoServer user list posting guidelines:
> http://geoserver.org/comm/userlist-guidelines.html
>
> If you want to request a feature or an improvement, also see this:
> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
>
>
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>


-- 

Regards,

Andrea Aime

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.
==

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob:   +39  333 8128928

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it

---

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE
2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
precisa che ogni circostanza inerente alla presente email (il suo
contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is
addressed and may contain information that is privileged, confidential or
otherwise protected from disclosure. We remind that - as provided by
European Regulation 2016/679 “GDPR” - copying, dissemination or use of this
e-mail or the information herein by anyone other than the intended
recipient is prohibited. If you have received this email by mistake, please
notify us immediately by telephone or e-mail

Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

[Stefan Ziegler]

There is now a fork of log4j named reload4j: https://reload4j.qos.ch/ It is a 
drop-in replacement and the project aims to fix the most urgent issues.

Stefan


From: Ron Lindhoudt via Geoserver-users 
Sent: Monday, January 10, 2022 5:34 PM
To: geoserver-users@lists.sourceforge.net; Mark Prins
Subject: Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

Our customers are demanding to support the latest version of log4j in 
Geoserver, I mean the latest 2.* without vulnerabilities because log4j 1.* is 
EOL.
On the Geoserver website I found this (13-12-2021):

We are also aware that Log4J 1.2.17 is an “End Of Life” (EOL) project, and are 
actively looking for funding to perform an upgrade to more recent versions of 
them. All new logging libraries have a different API and a different 
configuration file layout, with potential backwards compatibility issues, so 
this will be likely done on newer versions of GeoServer (2.21.x).

What is the status at this moment?

Thanks,
Ron
On Monday, 20 December 2021, 11:38:54 CET, Mark Prins  
wrote:


On 19-12-2021 11:11, Michael Steigemann via Geoserver-users wrote:
> Hello!
> Thank you very much for providing the geoserver.war:
> log4j-1.2.17.norce.jar.
> I have integrated into geoserver and ran a OWASP dependency check (
> https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html
> <https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html>)
>
> The library is still classified as critical:
> geoserver.war: log4j-1.2.17.norce.jar
> cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:*
> pkg:maven/log4j/log4j@1.2.17-norce<mailto:log4j@1.2.17-norce>CRITICAL
> 2Highest27
>
> Do you think it is possible and a good idea to register the library as
> "safe" in the central database?

No, this is not a new release but the same release with some files
removed and a way of preventing people from shooting themselves in the
foot because they can no longer configure the culprit appenders.

After inspection of the new jar file you can add a suppression for false
positives like





^log4j:log4j:1\.2\.17$
CVE-2019-17571
CVE-2020-9488
CVE-2021-4104






___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net<mailto:Geoserver-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

[Ian Turton]

Currently there are no plans to change the logging framework. The question
is how much do you and your customers want to make this change happen? Even
estimating the cost of the update is probably several days work, so until
we get funding to start looking there isn't even a plan.

There is a chance we can use OSGeo funds to look at the problem but that
still won't happen unless someone organises it but we are always happy to
receive volunteers.

Ian

On Mon, 10 Jan 2022, 16:34 Ron Lindhoudt via Geoserver-users, <
geoserver-users@lists.sourceforge.net> wrote:

> Our customers are demanding to support the latest version of log4j in
> Geoserver, I mean the latest 2.* without vulnerabilities because log4j 1.*
> is EOL.
> On the Geoserver website I found this (13-12-2021):
>
> We are also aware that Log4J 1.2.17 is an “End Of Life” (EOL) project, and
> are actively looking for funding to perform an upgrade to more recent
> versions of them. All new logging libraries have a different API and a
> different configuration file layout, with potential backwards compatibility
> issues, so this will be likely done on newer versions of GeoServer (2.21.x).
>
> What is the status at this moment?
>
> Thanks,
> Ron
> On Monday, 20 December 2021, 11:38:54 CET, Mark Prins 
> wrote:
>
>
> On 19-12-2021 11:11, Michael Steigemann via Geoserver-users wrote:
> > Hello!
> > Thank you very much for providing the geoserver.war:
> > log4j-1.2.17.norce.jar.
> > I have integrated into geoserver and ran a OWASP dependency check (
> > https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html
>
> > <
> https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html
> >)
> >
> > The library is still classified as critical:
> > geoserver.war: log4j-1.2.17.norce.jar
> > cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:*
> > pkg:maven/log4j/log4j@1.2.17-norceCRITICAL2Highest27
> >
> > Do you think it is possible and a good idea to register the library as
> > "safe" in the central database?
>
> No, this is not a new release but the same release with some files
> removed and a way of preventing people from shooting themselves in the
> foot because they can no longer configure the culprit appenders.
>
> After inspection of the new jar file you can add a suppression for false
> positives like
>
> 
> 
> 
> 
> ^log4j:log4j:1\.2\.17$
> CVE-2019-17571
> CVE-2020-9488
> CVE-2021-4104
> 
>
>
>
>
>
> ___
> Geoserver-users mailing list
>
> Please make sure you read the following two resources before posting to
> this list:
> - Earning your support instead of buying it, but Ian Turton:
> http://www.ianturton.com/talks/foss4g.html#/
> - The GeoServer user list posting guidelines:
> http://geoserver.org/comm/userlist-guidelines.html
>
> If you want to request a feature or an improvement, also see this:
> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
>
>
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
> ___
> Geoserver-users mailing list
>
> Please make sure you read the following two resources before posting to
> this list:
> - Earning your support instead of buying it, but Ian Turton:
> http://www.ianturton.com/talks/foss4g.html#/
> - The GeoServer user list posting guidelines:
> http://geoserver.org/comm/userlist-guidelines.html
>
> If you want to request a feature or an improvement, also see this:
> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
>
>
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

[Ron Lindhoudt via Geoserver-users]

 Our customers are demanding to support the latest version of log4j in 
Geoserver, I mean the latest 2.* without vulnerabilities because log4j 1.* is 
EOL.On the Geoserver website I found this (13-12-2021):
We are also aware that Log4J 1.2.17 is an “End Of Life” (EOL) project, and are 
actively looking for funding to perform an upgrade to more recent versions of 
them. All new logging libraries have a different API and a different 
configuration file layout, with potential backwards compatibility issues, so 
this will be likely done on newer versions of GeoServer (2.21.x).

What is the status at this moment?
Thanks,RonOn Monday, 20 December 2021, 11:38:54 CET, Mark Prins 
 wrote:  
 
 On 19-12-2021 11:11, Michael Steigemann via Geoserver-users wrote:
> Hello!
> Thank you very much for providing the geoserver.war: 
> log4j-1.2.17.norce.jar.
> I have integrated into geoserver and ran a OWASP dependency check ( 
> https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html 
> )
> 
> The library is still classified as critical:
> geoserver.war: log4j-1.2.17.norce.jar 
> cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:* 
> pkg:maven/log4j/log4j@1.2.17-norce    CRITICAL    2    Highest    27
> 
> Do you think it is possible and a good idea to register the library as 
> "safe" in the central database?

No, this is not a new release but the same release with some files 
removed and a way of preventing people from shooting themselves in the 
foot because they can no longer configure the culprit appenders.

After inspection of the new jar file you can add a suppression for false 
positives like


    
        
    
    ^log4j:log4j:1\.2\.17$
    CVE-2019-17571
    CVE-2020-9488
    CVE-2021-4104





___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
  ___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

[Mark Prins]

On 19-12-2021 11:11, Michael Steigemann via Geoserver-users wrote:

Hello!
Thank you very much for providing the geoserver.war: 
log4j-1.2.17.norce.jar.
I have integrated into geoserver and ran a OWASP dependency check ( 
https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html 
)


The library is still classified as critical:
geoserver.war: log4j-1.2.17.norce.jar 
cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:* 
pkg:maven/log4j/log4j@1.2.17-norce	CRITICAL	2	Highest	27


Do you think it is possible and a good idea to register the library as 
"safe" in the central database?


No, this is not a new release but the same release with some files 
removed and a way of preventing people from shooting themselves in the 
foot because they can no longer configure the culprit appenders.


After inspection of the new jar file you can add a suppression for false 
positives like






^log4j:log4j:1\.2\.17$
CVE-2019-17571
CVE-2020-9488
CVE-2021-4104





___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

[Michael Steigemann via Geoserver-users]

Hello!
Thank you very much for providing the geoserver.war:
log4j-1.2.17.norce.jar.
I have integrated into geoserver and ran a OWASP dependency check (
https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html
)

The library is still classified as critical:
geoserver.war: log4j-1.2.17.norce.jar cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:
*:*:* pkg:maven/log4j/log4j@1.2.17-norce CRITICAL 2 Highest 27
Do you think it is possible and a good idea to register the library as
"safe" in the central database?

All the best,
Michael



Am Do., 16. Dez. 2021 um 14:39 Uhr schrieb Andrea Aime <
andrea.a...@geosolutionsgroup.com>:

> Our official statement covers both vulnerabilities, please read:
>
> http://geoserver.org/announcements/2021/12/13/logj4-rce-statement.html
>
> Cheers
> Andrea
>
> On Thu, Dec 16, 2021 at 2:28 PM Ron Lindhoudt via Geoserver-users <
> geoserver-users@lists.sourceforge.net> wrote:
>
>> I understand that the GeoTools/Geoserver community has made a fix to
>> address the JMSAppender vulnerability: log4j-1.2.17.norce.jar
>>
>> https://repo.osgeo.org/repository/geotools-releases/log4j/log4j/1.2.17.norce/log4j-1.2.17.norce.jar
>>
>> But there also an older vulnerability
>> https://nvd.nist.gov/vuln/detail/CVE-2019-17571
>> <https://nvd.nist.gov/vuln/detail/CVE-2019-17571:>
>> that says:
>> "Included in Log4j 1.2 is a SocketServer class that is vulnerable to
>> deserialization of untrusted data which can be exploited to remotely
>> execute arbitrary code when combined with a deserialization gadget when
>> listening to untrusted network traffic for log data. This affects Log4j
>> versions up to 1.2 up to 1.2.17. "
>>
>>
>> Does this affect Geoserver?
>>
>> Regard,
>> Ron
>>
>> On Thursday, 16 December 2021, 13:59:52 CET, Calliess Daniel Ing. <
>> daniel.calli...@stadt-salzburg.at> wrote:
>>
>>
>> Hi,
>>
>>
>>
>> please be aware that also log4j 1.x might be affected when using the
>> JMSAppender in the configuration!
>>
>>
>>
>> From the log4j project website:
>>
>> *Log4j 1.x does not have Lookups so the risk is lower. Applications using
>> Log4j 1.x are only vulnerable to this attack when they use JNDI in their
>> configuration. A separate CVE (CVE-2021-4104) has been filed for this
>> vulnerability. To mitigate: audit your logging configuration to ensure it
>> has no JMSAppender configured. Log4j 1.x configurations without JMSAppender
>> are not impacted by this vulnerability.*
>>
>> https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228
>>
>>
>>
>> Regards
>> Daniel
>>
>>
>>
>> *From:* Michael Steigemann via Geoserver-users [mailto:
>> geoserver-users@lists.sourceforge.net]
>> *Sent:* Monday, December 13, 2021 7:53 PM
>> *To:* GeoServer Mailing List List 
>> *Subject:* [EXTERN!]: [Geoserver-users] LOG4J Version in GeoServer
>>
>>
>>
>> Hello!
>>
>>
>>
>> I think most of you have heard of the LOG4J vulnerability these days:
>> https://nvd.nist.gov/vuln/detail/CVE-2021-44228
>>
>>
>>
>> As far as I see GeoServer 2.20.1 uses still Log4J Version
>> 1 log4j-1.2.17.jar and luckily is not affected by the problem itself. On
>> the other hand the used log4j version 1 is not officially supported since
>> 2015: "...Please note that Log4j 1.x has reached end of life and is no
>> longer supported. Vulnerabilities reported after August 2015 against Log4j
>> 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2
>> to obtain security fixes" (
>> https://logging.apache.org/log4j/2.x/security.html)
>>
>>
>>
>> Are there any plans of integrating log4j Version 2 in GeoServer?
>>
>>
>>
>> Thanks for your short feedback and all the best,
>>
>> Michael
>> ___
>> Geoserver-users mailing list
>>
>> Please make sure you read the following two resources before posting to
>> this list:
>> - Earning your support instead of buying it, but Ian Turton:
>> http://www.ianturton.com/talks/foss4g.html#/
>> - The GeoServer user list posting guidelines:
>> http://geoserver.org/comm/userlist-guidelines.html
>>
>> If you want to request a feature or an improvement, also see this:
>> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
>>
>>
>> Geoserver-users@lists.s

Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

[Andrea Aime]

Our official statement covers both vulnerabilities, please read:

http://geoserver.org/announcements/2021/12/13/logj4-rce-statement.html

Cheers
Andrea

On Thu, Dec 16, 2021 at 2:28 PM Ron Lindhoudt via Geoserver-users <
geoserver-users@lists.sourceforge.net> wrote:

> I understand that the GeoTools/Geoserver community has made a fix to
> address the JMSAppender vulnerability: log4j-1.2.17.norce.jar
>
> https://repo.osgeo.org/repository/geotools-releases/log4j/log4j/1.2.17.norce/log4j-1.2.17.norce.jar
>
> But there also an older vulnerability
> https://nvd.nist.gov/vuln/detail/CVE-2019-17571
> <https://nvd.nist.gov/vuln/detail/CVE-2019-17571:>
> that says:
> "Included in Log4j 1.2 is a SocketServer class that is vulnerable to
> deserialization of untrusted data which can be exploited to remotely
> execute arbitrary code when combined with a deserialization gadget when
> listening to untrusted network traffic for log data. This affects Log4j
> versions up to 1.2 up to 1.2.17. "
>
>
> Does this affect Geoserver?
>
> Regard,
> Ron
>
> On Thursday, 16 December 2021, 13:59:52 CET, Calliess Daniel Ing. <
> daniel.calli...@stadt-salzburg.at> wrote:
>
>
> Hi,
>
>
>
> please be aware that also log4j 1.x might be affected when using the
> JMSAppender in the configuration!
>
>
>
> From the log4j project website:
>
> *Log4j 1.x does not have Lookups so the risk is lower. Applications using
> Log4j 1.x are only vulnerable to this attack when they use JNDI in their
> configuration. A separate CVE (CVE-2021-4104) has been filed for this
> vulnerability. To mitigate: audit your logging configuration to ensure it
> has no JMSAppender configured. Log4j 1.x configurations without JMSAppender
> are not impacted by this vulnerability.*
>
> https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228
>
>
>
> Regards
> Daniel
>
>
>
> *From:* Michael Steigemann via Geoserver-users [mailto:
> geoserver-users@lists.sourceforge.net]
> *Sent:* Monday, December 13, 2021 7:53 PM
> *To:* GeoServer Mailing List List 
> *Subject:* [EXTERN!]: [Geoserver-users] LOG4J Version in GeoServer
>
>
>
> Hello!
>
>
>
> I think most of you have heard of the LOG4J vulnerability these days:
> https://nvd.nist.gov/vuln/detail/CVE-2021-44228
>
>
>
> As far as I see GeoServer 2.20.1 uses still Log4J Version
> 1 log4j-1.2.17.jar and luckily is not affected by the problem itself. On
> the other hand the used log4j version 1 is not officially supported since
> 2015: "...Please note that Log4j 1.x has reached end of life and is no
> longer supported. Vulnerabilities reported after August 2015 against Log4j
> 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2
> to obtain security fixes" (
> https://logging.apache.org/log4j/2.x/security.html)
>
>
>
> Are there any plans of integrating log4j Version 2 in GeoServer?
>
>
>
> Thanks for your short feedback and all the best,
>
> Michael
> ___
> Geoserver-users mailing list
>
> Please make sure you read the following two resources before posting to
> this list:
> - Earning your support instead of buying it, but Ian Turton:
> http://www.ianturton.com/talks/foss4g.html#/
> - The GeoServer user list posting guidelines:
> http://geoserver.org/comm/userlist-guidelines.html
>
> If you want to request a feature or an improvement, also see this:
> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
>
>
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
> ___
> Geoserver-users mailing list
>
> Please make sure you read the following two resources before posting to
> this list:
> - Earning your support instead of buying it, but Ian Turton:
> http://www.ianturton.com/talks/foss4g.html#/
> - The GeoServer user list posting guidelines:
> http://geoserver.org/comm/userlist-guidelines.html
>
> If you want to request a feature or an improvement, also see this:
> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
>
>
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>


-- 

Regards,

Andrea Aime

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.
==

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob:   +39  333 8128928

https://www.geosolutionsgro

Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

[Ron Lindhoudt via Geoserver-users]

 I understand that the GeoTools/Geoserver community has made a fix to address 
the JMSAppender vulnerability: 
log4j-1.2.17.norce.jarhttps://repo.osgeo.org/repository/geotools-releases/log4j/log4j/1.2.17.norce/log4j-1.2.17.norce.jar

But there also an older vulnerability 
https://nvd.nist.gov/vuln/detail/CVE-2019-17571that says:"Included in Log4j 1.2 
is a SocketServer class that is vulnerable to deserialization of untrusted data 
which can be exploited to remotely execute arbitrary code when combined with a 
deserialization gadget when listening to untrusted network traffic for log 
data. This affects Log4j versions up to 1.2 up to 1.2.17. "

Does this affect Geoserver?
Regard,Ron
On Thursday, 16 December 2021, 13:59:52 CET, Calliess Daniel Ing. 
 wrote:  
 
 
Hi,
 
  
 
please be aware that also log4j 1.x might be affected when using the 
JMSAppender in the configuration!
 
  
 
>From the log4j project website:
 
Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 
1.x are only vulnerable to this attack when they use JNDI in their 
configuration. A separate CVE (CVE-2021-4104) has been filed for this 
vulnerability. To mitigate: audit your logging configuration to ensure it has 
no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not 
impacted by this vulnerability.
 
https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228
 
  
 
Regards
Daniel
 
  
 
From: Michael Steigemann via Geoserver-users 
[mailto:geoserver-users@lists.sourceforge.net]
Sent: Monday, December 13, 2021 7:53 PM
To: GeoServer Mailing List List 
Subject: [EXTERN!]: [Geoserver-users] LOG4J Version in GeoServer
 
  
 
Hello!
 
  
 
I think most of you have heard of the LOG4J vulnerability these days: 
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
 
  
 
As far as I see GeoServer 2.20.1 uses still Log4J Version 1 log4j-1.2.17.jar 
and luckily is not affected by the problem itself. On the other hand the used 
log4j version 1 is not officially supported since 2015: "...Please note that 
Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities 
reported after August 2015 against Log4j 1.x were not checked and will not be 
fixed. Users should upgrade to Log4j 2 to obtain security fixes" 
(https://logging.apache.org/log4j/2.x/security.html)
 
  
 
Are there any plans of integrating log4j Version 2 in GeoServer?
 
  
 
Thanks for your short feedback and all the best,
 
Michael
 ___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
  ___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

[Calliess Daniel Ing .]

Hi,

please be aware that also log4j 1.x might be affected when using the 
JMSAppender in the configuration!

From the log4j project website:
Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 
1.x are only vulnerable to this attack when they use JNDI in their 
configuration. A separate CVE (CVE-2021-4104) has been filed for this 
vulnerability. To mitigate: audit your logging configuration to ensure it has 
no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not 
impacted by this vulnerability.
https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228

Regards
Daniel

From: Michael Steigemann via Geoserver-users 
[mailto:geoserver-users@lists.sourceforge.net]
Sent: Monday, December 13, 2021 7:53 PM
To: GeoServer Mailing List List 
Subject: [EXTERN!]: [Geoserver-users] LOG4J Version in GeoServer

Hello!

I think most of you have heard of the LOG4J vulnerability these days: 
https://nvd.nist.gov/vuln/detail/CVE-2021-44228

As far as I see GeoServer 2.20.1 uses still Log4J Version 1 log4j-1.2.17.jar 
and luckily is not affected by the problem itself. On the other hand the used 
log4j version 1 is not officially supported since 2015: "...Please note that 
Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities 
reported after August 2015 against Log4j 1.x were not checked and will not be 
fixed. Users should upgrade to Log4j 2 to obtain security fixes" 
(https://logging.apache.org/log4j/2.x/security.html)

Are there any plans of integrating log4j Version 2 in GeoServer?

Thanks for your short feedback and all the best,
Michael
___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users