If you aren't able to get the "fixed" version of the jar that fixes the vulnerability, I would suggest adding this to your Java Options for Tomcat:
-Dlog4j2.formatMsgNoLookups=true Thanks, Dream * Excel * Explore * Inspire Jon McAlexander Infrastructure Engineer Asst Vice President Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -----Original Message----- > From: James H. H. Lampert <jam...@touchtonecorp.com.INVALID> > Sent: Friday, December 10, 2021 4:17 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect > Tomcat? > > A customer brought this to my attention: > > https://urldefense.com/v3/__https://www.randori.com/blog/cve-2021- > 44228/__;!!F9svGWnIaVPGSwU!4F2Gxy74aEjsyAmQbarXs0sh- > EMIt2eM6h6liBLnKEwxjqWAPfIMcp1Od6nSrgSx9n0rFIs$ > > I have no idea how (or if) Tomcat is affected. I have only the vaguest idea > what this vulnerability even *is.* > > Can anybody here shed any light? > > -- > JHHL > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
