On 19-12-2021 11:11, Michael Steigemann via Geoserver-users wrote:
Hello!
Thank you very much for providing the geoserver.war:
log4j-1.2.17.norce.jar.
I have integrated into geoserver and ran a OWASP dependency check (
https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html
<https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html>)
The library is still classified as critical:
geoserver.war: log4j-1.2.17.norce.jar
cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:*
pkg:maven/log4j/log4j@1.2.17-norce CRITICAL 2 Highest 27
Do you think it is possible and a good idea to register the library as
"safe" in the central database?
No, this is not a new release but the same release with some files
removed and a way of preventing people from shooting themselves in the
foot because they can no longer configure the culprit appenders.
After inspection of the new jar file you can add a suppression for false
positives like
<suppress>
<notes>
<![CDATA[
CVE-2019-17571 log4j Socket Server
CVE-2020-9488 log4j SMTP appender
CVE-2021-4104 log4j JMSAppender
]]>
</notes>
<gav regex="true">^log4j:log4j:1\.2\.17$</gav>
<cve>CVE-2019-17571</cve>
<cve>CVE-2020-9488</cve>
<cve>CVE-2021-4104</cve>
</suppress>
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
