While GeoServer is not vulnerable to Log4J2 Log4Shell vulernability <http://geoserver.org/announcements/2021/12/13/logj4-rce-statement.html>, we would like to thank everyone who has reached out with offers of concern and assistance.
The *Log4J 1.2* library used by GeoServer has a number of smaller vulnerabilities which we would like to address. While the *GeoServer default configuration* is not vulnerable it is time to upgrade or replace this library. If you are at all concerned, locate WEB-INF/lib/log4j-1.2.17.jar and replace with our custom log4j-1.2.17.norce.jar <https://repo.osgeo.org/repository/geotools-releases/log4j/log4j/1.2.17.norce/log4j-1.2.17.norce.jar>, and restart GeoServer. The GeoSever Project Steering Committee invites: - Proposals for updating or replacing the Log4J1 <https://github.com/geoserver/geoserver/wiki/Update-or-replace-Log4J-1-library> library used by GeoServer. Successful proposals should consider changes required to GeoTools logging (which bridges from java utility logging to selected logging library), integration with GeoWebCache (uses apache-commons-logging to delegate to selected logging library), and GeoServer (which allows users to select different logging profiles without restarting the application). - Sponsors <https://github.com/geoserver/geoserver/wiki/Sponsor> interested in funding this activity as a security concern. Organisations running GeoServer in a cloud environment are also encouraged to fund this activity. The leading contenders (log4j2,logback,java util logging) provide better integration with cloud logging services than the log4j1 library presently used. This is a time sensitive activity as we would like to select a good proposal and see the result implemented for the upcoming GeoServer 2.21-RC Release Candidate in March. Thanks to activity sponsors for your support: - opengeogroep.nl - www.terrestris.de <https://www.terrestris.de/en/> - how2map.com - Add your name here <https://github.com/geoserver/geoserver/wiki/Sponsor> via OSGeo GitHub Sponsorship (monthly donation), PayPal (one time donation), or OSGeo sponsorship (direct invoice). For more information visit updating or replacing the Log4J1 <https://github.com/geoserver/geoserver/wiki/Update-or-replace-Log4J-1-library> wiki page.
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
